[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]





    IDENTITY THEFT: THE CAUSES, COSTS, CONSEQUENCES, AND POTENTIAL 
                               SOLUTIONS

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
                POLICY, INTERGOVERNMENTAL RELATIONS AND
                               THE CENSUS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             SECOND SESSION

                               __________

                           SEPTEMBER 22, 2004

                               __________

                           Serial No. 108-272

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform


                                 ______

                    U.S. GOVERNMENT PRINTING OFFICE
98-486                      WASHINGTON : 2005
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana                  HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York
JOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California                 DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois
TODD RUSSELL PLATTS, Pennsylvania    JOHN F. TIERNEY, Massachusetts
CHRIS CANNON, Utah                   WM. LACY CLAY, Missouri
ADAM H. PUTNAM, Florida              DIANE E. WATSON, California
EDWARD L. SCHROCK, Virginia          STEPHEN F. LYNCH, Massachusetts
JOHN J. DUNCAN, Jr., Tennessee       CHRIS VAN HOLLEN, Maryland
NATHAN DEAL, Georgia                 LINDA T. SANCHEZ, California
CANDICE S. MILLER, Michigan          C.A. ``DUTCH'' RUPPERSBERGER, 
TIM MURPHY, Pennsylvania                 Maryland
MICHAEL R. TURNER, Ohio              ELEANOR HOLMES NORTON, District of 
JOHN R. CARTER, Texas                    Columbia
MARSHA BLACKBURN, Tennessee          JIM COOPER, Tennessee
PATRICK J. TIBERI, Ohio              BETTY McCOLLUM, Minnesota
KATHERINE HARRIS, Florida                        ------
------ ------                        BERNARD SANDERS, Vermont 
                                         (Independent)

                    Melissa Wojciak, Staff Director
       David Marin, Deputy Staff Director/Communications Director
                      Rob Borden, Parliamentarian
                       Teresa Austin, Chief Clerk
          Phil Barnett, Minority Chief of Staff/Chief Counsel

   Subcommittee on Technology, Information Policy, Intergovernmental 
                        Relations and the Census

                   ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan          WM. LACY CLAY, Missouri
DOUG OSE, California                 STEPHEN F. LYNCH, Massachusetts
TIM MURPHY, Pennsylvania             BETTY McCOLLUM, Minnesota
MICHAEL R. TURNER, Ohio

                               Ex Officio

TOM DAVIS, Virginia                  HENRY A. WAXMAN, California
                        Bob Dix, Staff Director
           Dan Daly, Professional Staff Member/Deputy Counsel
                         Juliana French, Clerk
            Adam Bordes, Minority Professional Staff Member


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on September 22, 2004...............................     1
Statement of:
    Schmidt, Howard, former White House Cybersecurity advisor, 
      and vice president, chief information security officer, 
      eBay, Inc.; Bill Hancock, vice president, security practice 
      & strategy, chief security officer, Savvis Communications 
      Corp.; Bill Conner, chairman and chief executive officer, 
      Entrust, Inc.; and Jody Westby, chair of privacy and 
      computer crime committee, American Bar Association, section 
      of science and technology law, and managing director, 
      PricewaterhouseCoopers.....................................    76
    Swindle, Orson, Commissioner, Federal Trade Commission; 
      Steven Martinez, Deputy Assistant Director, Cyber Division, 
      Federal Bureau of Investigation; Larry Johnson, Special 
      Agent in Charge, Criminal Investigative Division, U.S. 
      Secret Service; and Patrick O'Carroll, Acting Inspector 
      General, Social Security Administration....................    16
Letters, statements, etc., submitted for the record by:
    Clay, Hon. Wm. Lacy, a Representative in Congress from the 
      State of Missouri, prepared statement of...................    14
    Conner, Bill, chairman and chief executive officer, Entrust, 
      Inc., prepared statement of................................    99
    Hancock, Bill, vice president, security practice & strategy, 
      chief security officer, Savvis Communications Corp., 
      prepared statement of......................................    91
    Johnson, Larry, Special Agent in Charge, Criminal 
      Investigative Division, U.S. Secret Service, prepared 
      statement of...............................................    50
    Martinez, Steven, Deputy Assistant Director, Cyber Division, 
      Federal Bureau of Investigation, prepared statement of.....    38
    O'Carroll, Patrick, Acting Inspector General, Social Security 
      Administration, prepared statement of......................    59
    Putnam, Hon. Adam H., a Representative in Congress from the 
      State of Florida, prepared statement of....................     7
    Schmidt, Howard, former White House Cybersecurity advisor, 
      and vice president, chief information security officer, 
      eBay, Inc., prepared statement of..........................    80
    Swindle, Orson, Commissioner, Federal Trade Commission, 
      prepared statement of......................................    19
    Westby, Jody, chair of privacy and computer crime committee, 
      American Bar Association, section of science and technology 
      law, and managing director, PricewaterhouseCoopers, 
      prepared statement of......................................   116

 
    IDENTITY THEFT: THE CAUSES, COSTS, CONSEQUENCES, AND POTENTIAL 
                               SOLUTIONS

                              ----------                              


                        WEDNESDAY, SEPTEMBER 22,

                  House of Representatives,
   Subcommittee on Technology, Information Policy, 
        Intergovernmental Relations and the Census,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 2:46 p.m., in 
room 2154, Rayburn House Office Building, Hon. Adam Putnam 
(chairman of the subcommittee) presiding.
    Present: Representatives Putnam and Clay.
    Staff present: Bob Dix, staff director; John Hambel, senior 
counsel; Dan Daly, professional staff/deputy counsel; Juliana 
French, clerk; Adam Bordes, minority professional staff member; 
and Jean Gosa, minority assistant clerk.
    Mr. Putnam. A quorum being present, this hearing of the 
Subcommittee on Technology, Information Policy, 
Intergovernmental Relations and the Census will come to order.
    Good afternoon, and welcome to the subcommittee's hearing 
entitled, ``Identity Theft: The Causes, Costs, Consequences, 
and Potential Solutions.''
    Today the subcommittee conducts its 11th hearing this 
Congress on cybersecurity issues, and this is the 39th hearing 
overall of this subcommittee in the 108th Congress. I certainly 
want to commend staff for the majority and staff for the 
minority and the hard work that they have put into all of these 
hearings and the work of the membership, as we have covered an 
awful lot of ground in this Congress.
    Throughout the 108th Congress, the subcommittee has focused 
a great deal of attention and oversight on the topic of 
computer information security, and the growing cyberthreat to 
this Nation. This hearing will examine the cybersecurity threat 
from a somewhat different perspective and delve into an issue 
that has already adversely impacted millions of Americans and 
has the potential to become even worse as more and more 
information is gathered, stored and shared through the Internet 
in an all too often unprotected environment.
    The issue is computer identity theft. I am concerned about 
the threat that identity theft poses to the U.S.' national and 
economic security. Identity theft is one of the fastest-growing 
crimes in the United States, and it appears that the 
battleground is expanding from one populated primarily by those 
seeking notoriety, to those seeking profit and disruptive 
impact. Federal statistics show that nearly 10 million 
identities were stolen in the United States last year alone, 
and that the total cost of this crime in the United States is 
approximately $50 billion per year. Some predict that the 
worldwide costs of identity theft in all of its forms will 
exceed $2 trillion in financial losses by the end of 2005. 
These numbers are staggering, and they highlight why this 
hearing is so important.
    As use of the Internet continues to expand every day, more 
personal information is converted into electronic data. Both 
the Federal Government and the private sector maintain large 
data bases of personal information about their employees and 
customers. The efficiencies realized through the increased 
availability of electronic data storage and transmission are 
tremendous, but the wealth of available personal information in 
digital form also provides a target-rich environment for 
criminals and terrorists. By hacking into data bases, paying 
off insiders, loading spyware onto users' machines or using 
fraudulent e-mails to trick users into revealing Social 
Security and other account numbers, criminals and terrorists 
are utilizing the Internet to profit illegally.
    It seems as if not a day goes by without a new report of 
some worm, virus, phishing scheme or other cybercrime 
threatening users of the Internet. This week we have also 
learned that there is a dramatic increase in the number of 
zombie PCs, also called bots. These are computers infected by 
worms or Trojans and taken over surreptitiously by hackers and 
used to send spam, more viruses, harvest financial and personal 
information, or launch denial of service attacks. It is 
estimated that the number of computers being taken over by 
remote control is now averaging 30,000 per day, peaking at 
75,000 in a single day. We need to quarantine and vaccinate 
infected computers, close the back doors, shut down the tunnels 
and cutoff bad guy access to our computers and networks.
    A recent crackdown on cybercrime by the Department of 
Justice known as Operation Web Snare demonstrates just how 
large a problem cybercrime has become. The Department, through 
its U.S. Attorneys' offices, its Criminal Division, and the 
FBI, coordinated with the Secret Service, the FTC and a variety 
of other State, local and Federal and foreign law enforcement 
agencies, conducted this operation. Investigators identified 
more than 150,000 victims with estimated losses of more than 
$200 million. This operation to date has resulted in more than 
150 arrests and convictions for electronic crimes including 
identity theft, fraud, counterfeiting software, computer 
intrusions and other intellectual property crimes.
    We have representatives from the FBI, the FTC and the 
Secret Service with us here today. I applaud your efforts and 
the efforts of all of those involved in this operation, and I 
thank you for your service to this Nation.
    In addition to highlighting the threat of organized crime 
on the Internet, Operation Web Snare touched on another growing 
problem: the potential nexus between cybercrime and terrorism. 
The report on the operation noted that terrorists and their 
support groups are hiding behind the cloak of the Internet to 
conceal their true locations and to communicate, generate funds 
and develop resources in support of terrorism. Furthermore, the 
report noted an increase in on-line complaints in which 
illegally obtained funds are flowing to parts of the world 
where terrorist groups are known to operate.
    Operation Web Snare makes it clear that this is a global 
problem, and not only are criminals and terrorists aware of the 
vulnerabilities in cyberspace, but they are exploiting them for 
monetary profit as well. Make no mistake about it, our Nation's 
information systems are under attack 24 hours a day, 7 days a 
week from around the world. We cannot stick our heads in the 
sand and ignore these problems or continue to make excuses for 
why we are not taking more affirmative action. We have to 
address them head on and make sure that our cyberdefenses are 
prepared to repel these intruders.
    Unfortunately through the work of this subcommittee, 
through our extensive research and oversight, I am not 
convinced that we are prepared either in the public or the 
private sector to adequately deal with these problems. I fear 
that cybercrime may get worse before it gets better. And I do 
not wish to wait for some large-scale failure of our Internet 
infrastructure or the launch of a combined physical and 
confined cyberattack against our citizens and our economy 
before we as a Nation get serious about protecting our 
information systems.
    About a year ago, after several oversight hearings on the 
subject, in an information-gathering visit to Silicon Valley, I 
began to realize just how vulnerable this Nation had become to 
a growing and dangerous threat of cyberattack. Not only were 
Federal agencies failing to comply with the requirements of the 
law as outlined by FISMA, but the private sector was also 
seriously delinquent in its attention to these matters. After 
examining alternatives, we drafted the Corporate Information 
Security Accountability Act, which would have set forth certain 
computer information security plan reporting requirements for 
publicly traded companies in an effort to elevate the profile 
of this matter to the ``C'' level of management and respective 
boards of directors.
    I did not introduce the legislation at that time, 
preferring a private-sector-driven, market-based solution to 
this growing threat to the American people and the economy, and 
hearing from the private sector that they could address this 
issue without the assistance or intervention by Congress. Well, 
here we are a year later, and, quite frankly, not only has the 
problem not gotten much better, there is compelling evidence, 
some of which we will hear today, that the problem was getting 
worse, and perhaps a lot worse. Thankfully, there are some key 
stakeholders such as Microsoft, RSA and AOL who are taking 
visible steps to proactively address this challenge.
    But the world has grown to be a very dangerous place. Most 
of us make sure that we lock our doors and windows in our homes 
and businesses before we end the day. Some even pay extra to 
have an alarm system installed in their home or business to 
provide protection against unwanted intruders who wish to do us 
harm or steal our assets. In today's digital world, we must 
also protect our cyberassets and our personal information from 
intruders, both internal and external, from those who would do 
us harm and steal our information.
    We have not focused sufficiently on this challenge, and as 
a result our personal and national security, and our personal 
and national economic stability, are subject to a growing risk 
from enemies who may attack at any time of day and night from 
anywhere in the world 365 days a year.
    So today I call on this Nation, everyone in this Nation, to 
take immediate actions to increase their protection and to 
dramatically improve the cybersecurity profile of this country. 
We are all stakeholders, and we all have responsibility to be a 
part of the solution and not a continuing part of the problem.
    I call on major corporations to schedule on the agenda of 
their next senior management meeting and their next board of 
directors meeting, a discussion about your company's computer 
information security plan. This is a management, governance and 
business process issue and must be treated accordingly. Have 
you invested in the implementation of fundamental information 
security best practices and benchmarks, and is your IT security 
risk assessment and risk management plan up to date? The 
National Cybersecurity Partnership, with the tremendous help 
and leadership of the Business Software Alliance and others, 
has produced a Guide to Corporate Governance that provides 
tools and strategies that corporations can affordably implement 
immediately.
    I am tired of hearing that lawyers are advising against the 
adoption and implementation of cybersecurity best practices or 
on-line privacy policy because they are afraid that they may be 
creating liability. Friends, in my estimation, a failure to 
aggressively address these issues may in and of itself be 
creating the liability. While I am not a lawyer, I am a 
businessman, I am a citrus grower, taxpayer, I am an involved 
citizen. This issue is about national security and economic 
stability along with sound business practices and deserves 
immediate attention. How about training for employees and 
information about how to protect their home computers from 
unwanted intruders and thieves? What a great and inexpensive 
corporate benefit that would be. And for those who are already 
doing that, thank you, and keep up the great work.
    We call on the larger businesses of corporate America to 
work with your entire supply chain to demand that all the 
businesses that connect to your network understand the 
responsibility to make sure their systems are secure.
    We speak to the financial services sector, credit card 
companies, health care providers and others to reexamine their 
own information security protection profiles. Many Americans 
trust you with their most personal information and have an 
expectation that the information will remain confidential and 
protected.
    Why are we experiencing such a proliferation of identity 
theft? Is the day of the pin and password behind us, and we 
need to move immediately to a two-part authentication process 
that may include biometrics? Are we making the necessary 
investments to protect the information? Or do some view the 
cost of identity theft as merely the cost of doing business?
    I call on software and hardware manufacturers and the 
national associations that represent you to take the lead from 
a number of major CEOs who have already publicly committed to 
improving the quality and security of their products by issuing 
a public statement that makes that commitment in a manner that 
the public can have the confidence to know that you, too, view 
the proliferation of worms, viruses and other challenges 
resulting from vulnerabilities in your software and hardware 
products as a matter deserving of a greater investment of time 
and resources to provide sturdier and more secure products for 
the marketplace.
    I would further call on those same hardware and software 
manufacturers to expand your commitment to providing the 
consuming public with secure out-of-the-box computing products 
with user-friendly instructions, preset default security 
controls, and alerts about creating and maintaining a secure 
computing environment.
    I call on the manufacturers of these essential products to 
work more closely with critical infrastructure sectors to 
provide security and configuration requirements in advance and 
build those requirements into the life cycle development 
process to deliver more compatible, secure and higher-quality 
products to the marketplace. Companies like Oracle, Microsoft, 
Sun, Verizon and Entrust are examples of those who are taking 
this matter seriously.
    I call on Internet service providers and operating systems 
manufacturers to work more aggressively with other public and 
private stakeholders to provide consumers of all levels of 
sophistication--to provide information about affordable, user-
friendly tools that are available to help protect themselves 
and immediately improve their cybersecurity hygiene.
    We urge small businesses to take the time and learn about 
steps that you can take that are affordable and user-friendly 
to make your system more secure from the growing threats of 
cyberspace. There are fundamental steps in cybersecurity 
hygiene that will improve your protection profile overnight.
    You are an important stakeholder in this matter, and you 
have a responsibility to be a part of the solution. Home users 
are not exempt. Home users can become more aware of the tools 
that are available to improve the protection of their home 
computer. Make sure that you know about the antivirus software 
and personal firewalls and how to update your applications, 
including your operating system, in a timely manner.
    The National Cybersecurity Alliance is sponsoring National 
Cybersecurity Awareness Month during October, and you may get a 
lot of the necessary information about fundamental steps that 
you can take to protect yourselves by visiting their Website at 
www.staysafeonline.info.
    Today we call on the States and local governments to 
examine their own information security plans, along with their 
education, awareness and training programs, and, again, to 
speak to the agencies of the Federal Government, large and 
small, to step up and provide the example for the rest of the 
Nation. Receiving Ds and Fs on scorecards about requirements 
and compliance with the law is unacceptable. We must absolutely 
experience a recommitment by every Cabinet Secretary, 
department agency and bureau head to address the issue of 
securing the Federal computer networks and protecting the 
information assets that they contain. Federal CIOs and CISOs 
must be empowered to develop and implement effective strategies 
and to examine opportunities for enterprise solutions.
    And we call on Congress to work with all stakeholders, 
including military, intelligence and law enforcement agencies, 
domestic and international, to ensure an adequate level of 
preparedness to meet this growing cyberchallenge and recognize 
this battle in an overall threat domain.
    There is much that each of us can do today. The magnitude 
of this threat demands that we pay increased attention to the 
issue. If each of us takes the steps today to ensure that we 
have implemented the basic fundamental elements of 
cybersecurity hygiene, the cybersecurity protection profile of 
this Nation will improve overnight. We will send in an enormous 
message to all of the bad guys that we take this challenge 
seriously, and we will make the necessary steps to protect our 
national security and economic stability.
    As e-government, e-commerce, e-banking and e-health 
continue to take hold, we must be sure that we have a 
comprehensive national strategy that provides flexibility, 
while encouraging innovation and creativity in developing the 
tools and strategies necessary to secure the computer networks 
of this Nation and to protect the information that they 
contain.
    Today's hearing provides the subcommittee the opportunity 
to examine this challenge in the context of the impact that 
unprotected computers and networks have had on the rise of 
computer-related identity thefts and the adverse impact that 
these data thefts are having on the national security and 
economic profile of this Nation.
    We will hear from experts about potential solutions to 
these problems, such as vulnerability management, credentialing 
and authentication tools which may help reduce the impacts of 
viruses, worms, spyware, spam and phishing, and in return 
reduce identity-related cyberthefts.
    I eagerly look forward to the expert testimony that our 
panel of leaders in information security will provide today, as 
well as the opportunity to discuss the challenges ahead. 
Today's hearing can be viewed live via Webcast by going to 
reform.house.gov and clicking on the multimedia link.
    [The prepared statement of Hon. Adam H. Putnam follows:]

    [GRAPHIC] [TIFF OMITTED] T8486.001
    
    [GRAPHIC] [TIFF OMITTED] T8486.002
    
    [GRAPHIC] [TIFF OMITTED] T8486.003
    
    [GRAPHIC] [TIFF OMITTED] T8486.004
    
    [GRAPHIC] [TIFF OMITTED] T8486.005
    
    [GRAPHIC] [TIFF OMITTED] T8486.006
    
    Mr. Putnam. At this time I would like to recognize the 
distinguished ranking member of the subcommittee, the gentleman 
from Missouri Mr. Clay, for his opening statement.
    Mr. Clay. Thank you, Mr. Chairman for holding today's 
hearing for what is a new topic for our subcommittee, but also 
part of a growing threat to our Nation's economy, identity 
theft. That said, I am hopeful that our distinguished panelists 
will offer constructive and thoughtful proposals on how the 
Federal Government can be a catalyst for protecting its 
citizens from those using the Internet or other electronic 
methods for criminal activity.
    The costs associated with identity theft activities are 
staggering when accounting for both economic losses and the 
time dedicated by victims to remedying credit ratings and 
financial records. According to the FTC September 2003 survey, 
the personal costs accumulated by victims of identity theft 
totals approximately $5 billion annually, with the average 
costs ranking between $500 and $1,200 per victim. In addition, 
approximately 15 percent of those surveyed had their personal 
information misused in nonfinancial activities, often 
subjecting them to legal investigations or other unwarranted 
personal invasions.
    Although the Federal Government has taken steps to counter 
identity theft-related activity, I remain troubled that 
identity-theft related investigations are not properly 
coordinated among local, State and Federal agencies. While 
progress has been made in coordinating such investigations 
through the FTC's Identity Theft Data Clearinghouse, efforts 
must continue to ensure its interconnectivity to all State and 
local law enforcement jurisdictions. Success can only be 
achieved when such systems are seamless and interoperable with 
all stakeholders.
    In closing, I am hopeful that this issue will remind us of 
the importance of ensuring the security of our Nation's 
critical infrastructure and the electronic commerce-based 
industry. Our Nation's security depends on it. Thank you, Mr. 
Chairman, and I yield back.
    Mr. Putnam. I thank the gentleman.
    [The prepared statement of Hon. Wm. Lacy Clay follows:]

    [GRAPHIC] [TIFF OMITTED] T8486.007
    
    [GRAPHIC] [TIFF OMITTED] T8486.008
    
    Mr. Putnam. And we will move right to testimony. I would 
ask the first panel of witnesses, and anyone accompanying you 
who will be providing support to your answers, to please rise 
and raise your right hands for the administration of the oath.
    [Witnesses sworn.]
    Mr. Putnam. I note for the record that all of the witnesses 
responded in the affirmative.
    I would like to introduce our first witness for his opening 
statement. All of your written testimony will be included for 
the record. We would ask you to summarize those statements to a 
5-minute opening, and we will begin with Mr. Swindle.
    Commissioner Orson Swindle was sworn in as a Commissioner 
on the Federal Trade Commission in December 1977. Commissioner 
Swindle was appointed in December 2001 as head of the U.S. 
delegation to the Organization for Economic Cooperation and 
Development experts group to review the 1992 OECD guidelines 
for the security of information systems. Commissioner Swindle 
has had a distinguished military career and served in the 
Reagan administration from 1981 to 1989 directing financial 
assistance programs to economically distressed rural and 
municipal areas of the country.
    We welcome you back to the subcommittee, sir, and you are 
recognized for 5 minutes.

   STATEMENTS OF ORSON SWINDLE, COMMISSIONER, FEDERAL TRADE 
 COMMISSION; STEVEN MARTINEZ, DEPUTY ASSISTANT DIRECTOR, CYBER 
   DIVISION, FEDERAL BUREAU OF INVESTIGATION; LARRY JOHNSON, 
SPECIAL AGENT IN CHARGE, CRIMINAL INVESTIGATIVE DIVISION, U.S. 
    SECRET SERVICE; AND PATRICK O'CARROLL, ACTING INSPECTOR 
            GENERAL, SOCIAL SECURITY ADMINISTRATION

    Mr. Swindle. Thank you. Mr. Chairman, Mr. Clay and members 
of the subcommittee, I appreciate this opportunity to discuss 
the theft and misuse of electronic data and the FTC's efforts 
to promote better information security practices. My written 
statement represents the views of the Commission. My comments 
today are my own and do not necessarily reflect those of the 
Commission.
    Consumers and businesses enjoy many benefits in today's 
information economy. We can purchase products, process 
financial transactions and access information at any time. The 
same information-rich data bases that make this possible also 
are attractive targets for identity thieves and other 
criminals. The challenge for each of us, consumers, businesses 
and government alike, is to protect these data bases and the 
national information infrastructure that supports them.
    Vulnerabilities and threats to the information economy are 
very real. Many instances have occurred in which computers are 
stolen, our networks penetrated, and sensitive personal 
information of thousands of individuals compromised. These 
breaches of information security lead to identity theft and 
impose great cost on both consumers and businesses. Perhaps 
more damaging is the loss of consumer confidence in using 
electronic commerce and the vast benefits of the information 
age.
    Addressing these threats begins with education. Consumers 
and businesses must learn how to better protect personal 
information. Law enforcement actions by the Federal Trade 
Commission and others can help stop harmful practices and 
highlight the importance of information security. We also 
encourage the development of authentication and other security 
technology to help protect consumers from spam and phishing 
attacks. This November the FTC will host a workshop to explore 
and promote the adoption of e-mail authentication standards.
    Improving information security is essential to our society. 
We have conducted security-related workshops, worked with the 
OECD on its information security guidelines, issued the Gramm-
Leach-Bliley Safeguards Rule, and brought numerous law 
enforcement actions. Some basic lessons are evident from our 
work.
    First, information security is an ongoing, never-ending 
process of assessing risks and vulnerabilities. As security 
threats and technologies constantly evolve, so must our 
security measures.
    Second, there is no one-size-fits-all solution for all 
organizations and types of information. Security procedures 
must be reasonable and appropriate with regard to the 
organization, the complexity and sensitivity of the information 
itself, and the nature and scope of activities in which the 
information is used.
    Third, there is no such thing as perfect security. Breaches 
can happen, even when a company or person has taken every 
reasonable precaution. Conversely, the absence of a breach does 
not necessarily mean that adequate security precautions are in 
place.
    Fourth, all computer users have an extraordinary role to 
play in achieving adequate information security, and they must 
do their job. Information security demands that all of us be 
involved.
    Recognizing these lessons, we believe there are some basic 
steps businesses can take to help minimize vulnerabilities and 
compromises. Businesses should implement a security plan and 
make good information practices an essential part of their 
business operations, literally a part of their business 
culture. Information security practices must include: risk 
assessment; identifying internal vulnerabilities and external 
threats to personal information; designing and implementing 
safeguards to control these risks; routinely evaluating 
effectiveness of these safeguards; adjusting the plan as 
necessary to maintain effective security; and overseeing the 
information-handling practices of third-party or affiliated 
service providers who have access to personal information.
    A good security plan includes effective response procedures 
should a breach or compromise of sensitive personal information 
occur. For example, if the breach would result in harm to a 
person or business, report the situation to appropriate law 
enforcement agencies. If a breach affects other businesses, 
such as when a company stores personal information on behalf of 
other businesses, notify that business.
    In addition, some breaches dictate that businesses notify 
customers. Although notifying customers or consumers may not be 
necessary in all situations, when identity theft is possible 
because of a breach, customers need to know this quickly. For 
example, the theft of Social Security numbers. Early 
notification of consumers allows them to take steps to limit 
harm, such as placing a fraud alert on their credit file with a 
consumer reporting agency. The FTC provides businesses valuable 
information and advice on steps to take in the event of an 
information security breach.
    Our law enforcement and education efforts should help deter 
identity theft before it occurs. However, identity theft will 
no doubt continue, and the FTC has a comprehensive program to 
assist consumers and businesses who become victims.
    The Commission serves as the Federal Government's central 
repository for identity theft complaints. We take the lead in 
referring complaints about identity theft to appropriate law 
enforcement authorities. We provide victim assistance and 
consumer education. Our identity theft Website provides a 
variety of resources for both customers and businesses.
    Educating customers and businesses about the risks to 
personal information and the importance of good security 
practices has high priority at the Commission. We will pursue 
those who violate information security laws, and we will 
provide assistance to victims of identity theft.
    Chairman Putnam, in closing I would like to thank you and 
Chairman Davis for your Dear Colleague letters in support of 
the National Cybersecurity Awareness Month and your personal 
leadership on these issues in general. Thank you for this 
opportunity today, and I look forward to responding to your 
questions.
    Mr. Putnam. Thank you very much, Commissioner.
    [The prepared statement of Mr. Swindle follows:]

    [GRAPHIC] [TIFF OMITTED] T8486.009
    
    [GRAPHIC] [TIFF OMITTED] T8486.010
    
    [GRAPHIC] [TIFF OMITTED] T8486.011
    
    [GRAPHIC] [TIFF OMITTED] T8486.012
    
    [GRAPHIC] [TIFF OMITTED] T8486.013
    
    [GRAPHIC] [TIFF OMITTED] T8486.014
    
    [GRAPHIC] [TIFF OMITTED] T8486.015
    
    [GRAPHIC] [TIFF OMITTED] T8486.016
    
    [GRAPHIC] [TIFF OMITTED] T8486.017
    
    [GRAPHIC] [TIFF OMITTED] T8486.018
    
    [GRAPHIC] [TIFF OMITTED] T8486.019
    
    [GRAPHIC] [TIFF OMITTED] T8486.020
    
    [GRAPHIC] [TIFF OMITTED] T8486.021
    
    [GRAPHIC] [TIFF OMITTED] T8486.022
    
    [GRAPHIC] [TIFF OMITTED] T8486.023
    
    [GRAPHIC] [TIFF OMITTED] T8486.024
    
    [GRAPHIC] [TIFF OMITTED] T8486.025
    
    Mr. Putnam. Our next witness is Steven Martinez. Mr. 
Martinez began work for the FBI in 1987. He has held a variety 
of supervisory and investigative positions within the FBI 
throughout the United States. In February 2003, Mr. Martinez 
was assigned as the FBI's first on-scene commander at CENTCOM, 
or Central Command, in Doha, Qatar, and in Baghdad, Iraq, in 
the staging of Operation Iraqi Freedom. While there he was in 
charge of all deployed FBI personnel and managed the FBI's 
counterterrorism and counterintelligence efforts spanning the 
initial combat phase of the war.
    Mr. Martinez was appointed to his current position as 
Deputy Director of the Cyber Division in August 2004.
    Welcome to the committee, Mr. Martinez. You are recognized. 
Welcome home.
    Mr. Martinez. Thank you, Mr. Chairman.
    Again, good afternoon, Mr. Chairman and members of the 
subcommittee. I want to thank you for the opportunity to 
testify today regarding the FBI's efforts to combat identity 
theft as well as overlapping cybercrime problems.
    Some studies show that last year alone more than 10 million 
victims were victimized by identity theft, with estimated 
losses exceeding $50 billion. These efforts demonstrate the 
significant impact identity theft has on U.S. citizens and 
businesses.
    Identity theft is a growing problem and can manifest itself 
in many ways, to include large-scale intrusions into third-
party credit card processors, theft from the mails of printed 
checks and preapproved credit cards, credit card skimming, 
phishing schemes and other cyber-related crimes.
    More than 2 years ago, the FBI prioritized and restructured 
its approach to cybercrime with the establishment of the Cyber 
Division. Under the Cyber Division, the Internet Crime 
Complaint Center, or IC3, has focused on combating identity 
theft through the development of joint investigative 
initiatives with both our law enforcement partners and key e-
commerce stakeholders. The IC3 receives on average more than 
17,000 consumer complaints every month. Of the more than 
400,000 complaints referred to the IC3 since its opening in May 
2000, more than 100,000 can be characterized as identity theft.
    The FBI is working to combat identity theft on many fronts, 
to include targeting criminal spammers. Spam is often the front 
end of a number of cybercrime scenarios used to invite 
unsuspecting customers to provide personal, financial or credit 
card information. Multiple agency operations, coordinated by 
the FBI to include Operation Web Snare, SLAM-Spam, Cyber Sweep 
and E-Con, has successfully launched hundreds of identity theft 
investigations. These investigations, involving thousands of 
U.S. victims and millions in dollars of losses, have resulted 
in the successful identification and arrest of hundreds of 
subjects. These operations further serve to alert both 
customers and industry about new or evolving schemes to which 
they may fall victim to identity theft.
    Integral to each of such initiatives are public service 
advisories, which are developed in coordination with the FBI, 
our law enforcement partners and the FTC. These advisories are 
posted on law enforcement and industry Websites in order to 
warn the public about Internet identity theft scams.
    The FBI has also seen an increase in identity theft matters 
with a foreign nexus to include a number of subjects from 
Eastern Europe and Africa. Many of these subjects solicit their 
victims through Internet job postings, e-mail, chat rooms, 
requesting detailed personal information under the guise of 
offering legitimate employment opportunities.
    In response, the FBI has developed a close working 
partnership with many international law enforcement agencies, 
frequently providing agents and resources abroad in order to 
directly go after perpetrators.
    Finally, computer intrusions can also significantly 
contribute to the problem of identity theft. One such instance 
involved the hacking of an e-commerce company system resulting 
in the network compromised and extortion of over 100 U.S. 
banks; 30 million credit card accounts, including subscriber 
information, were stolen as a result of the compromise.
    The FBI takes a proactive role in working to investigate 
these types of cases to include maintaining close private 
industry contacts through programs such as InfraGard, a public-
private alliance of more than 13,000 members.
    In closing, the problem of identity theft is a significant 
matter, impacting the life and livelihood of U.S. citizens. The 
FBI appreciates the opportunity to share with you our efforts 
and successes in addressing this problem. The FBI will continue 
to combat identity theft so that America's citizens and the 
economy can be protected. Thank you.
    Mr. Putnam. Thank you very much, Mr. Martinez.
    [The prepared statement of Mr. Martinez follows:]

    [GRAPHIC] [TIFF OMITTED] T8486.026
    
    [GRAPHIC] [TIFF OMITTED] T8486.027
    
    [GRAPHIC] [TIFF OMITTED] T8486.028
    
    [GRAPHIC] [TIFF OMITTED] T8486.029
    
    [GRAPHIC] [TIFF OMITTED] T8486.030
    
    [GRAPHIC] [TIFF OMITTED] T8486.031
    
    [GRAPHIC] [TIFF OMITTED] T8486.032
    
    [GRAPHIC] [TIFF OMITTED] T8486.033
    
    [GRAPHIC] [TIFF OMITTED] T8486.034
    
    [GRAPHIC] [TIFF OMITTED] T8486.035
    
    Mr. Putnam. Our next witness is Larry Johnson. Mr. Johnson 
has been a part of the Secret Service for 22 years and has held 
supervisory positions in both its Protective and Investigative 
Divisions. He currently holds the title of Special Agent in 
Charge of the Criminal Investigative Division and is 
responsible for the oversight of the Secret Service's criminal 
investigations, both domestic and abroad. The Criminal 
Investigative Division also manages the Secret Service's 
electronic crime programs and initiatives, including the 
specialized training of agents in computer forensics and the 
developments and implementation of the Secret Service's 
electronic crime task forces.
    Welcome to the subcommittee, sir, you are recognized for 5 
minutes.
    Mr. Johnson. Chairman Putnam, Mr. Clay, members of the 
subcommittee, thanks for inviting me today.
    In addition to providing the highest level of physical 
protection to our Nation's leaders, the Secret Service 
exercises broad investigative jurisdiction over a wide variety 
of financial crimes. As an original guardian of our Nation's 
financial payment system, the Secret Service has a long history 
of protecting American customers and industry from financial 
fraud. In recent years, the combination of the information 
revolution, the effects of globalization and the rise of 
international terrorism have caused the investigative mission 
of the Secret Service to evolve dramatically. The explosive 
growth of these crimes has resulted in the elevation of the 
Secret Service to an agency that is recognized worldwide for 
its expertise in the investigation of all types of financial 
crimes.
    In today's markets, customers routinely provide personal 
and financial identifiers to companies engaged in business on 
the Internet. Information trading and the wealth of personal 
information available creates a target-rich environment for 
today's sophisticated criminals, many of whom are organized and 
operate across international borders.
    Internet crime has increased significantly in the last 
several years. Since the early 1990's, organized computer 
underground networks have developed an extraordinary record of 
malicious software development. Starting in the late 1990's and 
increasing over the last few years, this criminal element has 
used such malicious software to penetrate financial and 
government institutions, extract data and illicit traffic in 
stolen and financial identity information.
    Criminal networks engage in electronic financial fraud, 
participate in a wide range of activities in order to make 
their scheme successful. They first obtain and store financial 
data for future exploitation. Gaining access to this data 
involves various techniques, technical methods, including 
hacking, virus-writing, phishing and skimming.
    The criminal underground active in credit card fraud and 
identity theft crimes has rapidly adapted its operations to an 
on-line world, where it has found convenient solutions to the 
age-old problems in the forms of anonymous communication 
networks, as well as global, unregulated movement of illegally 
obtained funds.
    This has created new challenges for Federal and local law 
enforcement agencies. By working closely with international 
police agencies, other Federal, State and local law 
enforcement, the Secret Service is able to provide a 
comprehensive network of ongoing investigative operations, 
intelligence sharing, resource sharing and technical expertise 
that has bridged judicial boundaries. This partnership approach 
to law enforcement is exemplified by our financial and 
electronic crime task forces located throughout the country. 
These task forces primarily target suspects in criminal 
enterprises engaged in financial and electronic criminal 
activity that fall within the investigative jurisdiction of the 
Secret Service. Members of these task forces, who include 
representatives from local and State law enforcement, 
prosecutors' offices, private industry and academia, pool their 
resources and expertise in a collaborative effort to detect and 
prevent electronic crimes and identity theft.
    The value of this crime-fighting and crime-prevention model 
has been recognized by Congress, which has authorized the 
Secret Service, pursuant to the U.S. Patriot Act of 2001, to 
expand our electronic crimes task forces to cities and regions 
across the country. Two new electronic crime task forces will 
be established this month, bringing the total number of ECTFs 
to 15.
    The Secret Service Electronic Crimes Task Force Program 
bridges the gap between conventional cybercrime investigations 
and the larger picture of critical infrastructure protection. 
Secret Service efforts to combat cyber-based assaults that 
target information and communications systems supporting the 
financial sector are a part of the larger and more 
comprehensive critical infrastructure protection.
    A key element in our strategy of sharing information and 
operating with other Federal agencies, to include IC3, the 
department of Treasury, Department of State and the FBI, are 
the 17 permanent U.S. Secret Service field offices that support 
both our protective and investigative missions. The Secret 
Service provides training for counterfeit investigations, 
financial crimes and computer intrusions to our international 
law enforcement partners.
    In a joint effort with the Department of Justice, the U.S. 
Postal Inspection Service, the FTC and the International 
Association of Police Chiefs, the Secret Service is hosting 
identity crime training seminars for local enforcement officers 
across the country. These training seminars are focused on 
providing local and State law enforcement officers with tools 
and resources that they can immediately put to use in their 
investigations of identity crime. Additionally, officers are 
provided resources that they can pass on to members of their 
community who are victims of identity crime.
    The Secret Service will continue its aggressive domestic 
and international pursuit of cybercriminals who are involved in 
the hacking of our Nation's computer systems, the intrusions of 
our networks and the theft of identities of U.S. citizens 
through mainly prevention and disruption. The Secret Service, 
with the assistance of the Department of Homeland Security, is 
committed to the deterrence and apprehension of all potential 
cybercriminal suspects who threaten citizens of the United 
States and its critical infrastructure.
    Mr. Chairman, that concludes my prepared statement.
    Mr. Putnam. Thank you very much, Mr. Johnson.
    [The prepared statement of Mr. Johnson follows:]

    [GRAPHIC] [TIFF OMITTED] T8486.036
    
    [GRAPHIC] [TIFF OMITTED] T8486.037
    
    [GRAPHIC] [TIFF OMITTED] T8486.038
    
    [GRAPHIC] [TIFF OMITTED] T8486.039
    
    [GRAPHIC] [TIFF OMITTED] T8486.040
    
    [GRAPHIC] [TIFF OMITTED] T8486.041
    
    [GRAPHIC] [TIFF OMITTED] T8486.042
    
    Mr. Putnam. Our next witness is Patrick O'Carroll. Nice 
French name.
    Mr. O'Carroll currently serves as the acting inspector 
general for the Office of the Inspector General of the Social 
Security Administration. In fiscal year 2003, the office of 
investigators has reported over $356 million in investigative 
accomplishments.
    Prior to coming to the Social Security Administration, Mr. 
O'Carroll had 24 years of experience with the U.S. Secret 
Service. So we have two Secret Service representatives with us 
today. Throughout his career, Mr. O'Carroll has received 
numerous awards for his meritorious service.
    Welcome to the subcommittee, sir. You are recognized for 5 
minutes.
    Mr. O'Carroll. Good afternoon, Mr. Chairman and Mr. Clay. 
Thank you for the invitation today to be here for this 
important hearing. You have my statement for the record, so I 
will provide a few remarks.
    Protecting information is vital to the Social Security 
Administration and its programs. Any breach in the 
confidentiality or integrity of their data would seriously 
jeopardize the agency's mission and erode the public's 
confidence in SSA programs. As part of the mission of the SSA 
Office of the Inspector General, we work closely with the 
agency to ensure that SSA has the proper controls in place to 
preserve the integrity of its data and business processes. 
Today I will focus on why it is important to prevent electronic 
data theft, what my office is doing to help SSA, some of SSA's 
data security efforts, and what more needs to be done.
    The information technology revolution brings a heightened 
risk of disruption or sabotage of critical operations. We need 
to protect the public by preventing destruction and 
cyberattacks when possible, or ensuring that they are 
infrequent and manageable.
    Another threat to our essential electronic data is identity 
theft, the fastest growing form of white-collar crime in 
America. Our investigations in this area reveal how widespread 
the misuse of SSNs and other sensitive data from public and 
private sector data bases has become.
    The topic of identity theft is more than just dollars and 
numbers. Let me give you a specific example. We have recently 
received a letter from an individual who found that her and her 
husband's personal information was posted on a publicly 
available government Website complete with her Social Security 
number. In a letter to me, she indicated she had made multiple 
inquiries at the local, State and Federal level trying to have 
her personal information removed. The individual commented in 
her letter that the Government, both State and Federal, should 
do whatever is possible to ensure the integrity of every 
citizen's SSN. I couldn't agree more.
    In addition to our efforts regarding SSN misuse, we also 
consider investigations of employee fraud a high priority. It 
only takes one corrupt employee to compromise the integrity of 
the Social Security system. In particular, illegally used SSNs 
puts the financial integrity of the SSA system at risk and 
inhibits the country's work for terrorism.
    Let me discuss two of our successful investigations. In 
one, a 15-year SSA employee provided Social Security cards for 
a scheme in which immigrants paid up to $75,000 for 
citizenship. The SSA employee resigned and was only sentenced 
to 2 months of incarceration.
    In another, an SSA employee knowingly approved fraudulent 
applications for over 1,700 Social Security cards for 
approximately $1,000 each as part of a $4.3 million criminal 
enterprise. The SSA employee lost his job, was sentenced to 71 
months in prison, and was ordered to forfeit $1 million.
    SSA has made significant progress in strengthening SSN 
integrity and has implemented important suggestions which our 
office has made. SSA's efforts toward protection of electronic 
data include the SSA Enumeration Response Team comprised of 
agency executives, including OIG representatives, that has 
implemented numerous policies and procedures designed to better 
ensure that only individuals authorized to receive an SSN are 
available to do so.
    The agency is also piloting an on-line Social Security 
number verification system, which will allow employers and 
third parties to verify employer names and SSNs via the 
Internet, using information and SSA records for wage-reporting 
purposes. This system will also indicate if the SSA record 
shows that an employee is deceased.
    While SSA protects its data with numerous controls and 
safeguards, we are concerned about how other Federal agencies 
maintain security of SSNs. Given the potential risk, we believe 
Federal agencies would benefit by strengthening controls over 
the access, disclosure and use of SSNs by State and local 
governments and other external entities. Misused SSNs, stolen 
or misappropriated birth certificates, and false or 
fraudulently obtained drivers' licenses are keys to identity 
fraud in the United States. Our OIG works closely with SSA to 
help ensure the integrity of all of its data.
    As technology has advanced, SSA has kept pace in developing 
appropriate safeguards against intrusion. SSA must continue to 
strike a balance between the need to be user-friendly and the 
demands for increased security. Together with Congress and SSA, 
we have made important strides in reducing vulnerabilities, and 
that effort continues.
    Still, to strengthen our defenses even further, we believe 
that SSA should work with agencies across government to improve 
safeguards for data security. We also believe SSA and lawmakers 
should exam the feasibility of the following initiatives: 
limiting the SSN's public availability, prohibiting the sale of 
SSNs, and prohibiting their display on public records, and 
enacting strong enforcement mechanisms and stiffer penalties to 
discourage SSN issues.
    I would be happy to answer any questions you may have.
    [The prepared statement of Mr. O'Carroll follows:]

    [GRAPHIC] [TIFF OMITTED] T8486.043
    
    [GRAPHIC] [TIFF OMITTED] T8486.044
    
    [GRAPHIC] [TIFF OMITTED] T8486.045
    
    [GRAPHIC] [TIFF OMITTED] T8486.046
    
    [GRAPHIC] [TIFF OMITTED] T8486.047
    
    [GRAPHIC] [TIFF OMITTED] T8486.048
    
    [GRAPHIC] [TIFF OMITTED] T8486.049
    
    [GRAPHIC] [TIFF OMITTED] T8486.050
    
    Mr. Putnam. Thank you very much, and I want to thank all of 
our first panel of witnesses, and we will go straight to 
questions.
    Commissioner Swindle, in the current threat environment in 
which we live where systems face ongoing attacks, probes, or 
are constant for vulnerabilities, the bots, the zombies and 
everything else, some companies, it is becoming clear, are 
purposefully avoiding conducting IT risk assessments because of 
the fear that those assessments themselves will establish 
knowledge of vulnerabilities that could be used against them in 
litigation. What are your thoughts on the position that a lot 
of these companies have taken?
    Mr. Swindle. Mr. Chairman, I would compare their conduct to 
that conduct you spoke of earlier about lawyers recommending 
they don't have privacy policies so as to avoid liability. I 
think it is a road to suicide, quite frankly, because it will 
catch up with them eventually. And, I think consumers, as they 
become more aware of the full privacy issue and certainly 
information security issue, are going to look to companies that 
are responsible, and they will and turn away from those that 
are not. Soon there will be more of those that are resonsible 
than not, and the losers will be the ones that choose this 
course of action. I think it is incredibly dumb.
    I have encountered this in several fora that I have 
attended over the years, and I just look at them with 
astonishment that they would take that approach, because I 
don't think it is realistic. It is certainly not responsible.
    Mr. Putnam. Is there a need for some form of safe harbor 
that would encourage companies to conduct thorough examinations 
and then come forward with whatever deficiencies they find?
    Mr. Swindle. Safe harbor, I would say, is perhaps a good 
vehicle to protect those who do the right thing, and 
inadvertently have security failures, as I said, no security 
package is going to be complete. They have taken responsible 
actions, they have done as much as they could see to do, and a 
breach occurs--I don't think they should be held responsible 
for something they couldn't really avoid. But, I have a hard 
time giving people an easy way out, if you will. But, we may 
have to come to that position, because, as both Mr. Clay and 
yourself have mentioned, these problems are growing.
    We are making progress, but the problems are growing faster 
oftentimes than the progress, and it may be that we have to 
seek some kind of means to encourage people to get in and start 
doing the right thing. But, I would still prefer to see the 
private sector lead, for their own self-interest, to do the 
right thing. I am still not convinced that we are incapable of 
doing that. I have hopefully not unfounded confidence that we 
will do the right thing.
    Mr. Putnam. Thank you.
    Mr. Martinez, Mr. Johnson, a recent survey was conducted by 
Carnegie Mellon and Information Week of 100 small and medium-
sized businesses that found that 17 percent of the 
participating companies had been the targets of some form of 
cyberextortion. Could you tell us more about the cyberextortion 
problem and the trends that you are seeing out there, and what 
advice you would have for companies who are faced with that 
threat? With the FBI?
    Mr. Martinez. Well, in simplified terms, the cyberextortion 
is not just the mere use of the facility of the Internet to 
make an extortion as demand, but instead a sophisticated hacker 
might find a vulnerability in a system, steal proprietary 
information, customer lists, personnel information from a 
company, and then pitch them that they can fix it. And if they 
aren't allowed to come in as a, ``consultant,'' they will 
release that information in a way that would be harmful to that 
company. That's one manner in which it can occur.
    Trends, the level of sophistication, absolutely is going 
up. The ease with which tools can be obtained to make the 
initial intrusion are becoming far, far more available and 
simpler to use. It doesn't take a rocket scientist to drive 
some of these tools at this point. It was mentioned previously 
about the playing field changing from hacking for fun to now 
hacking for profit.
    As far as advice goes, of course, good computer security, 
engaging in private industry partnership, partnerships with law 
enforcement organizations such as InfraGard where information 
could be shared so that we can have a prophylactic effect, you 
know, share information about how we can protect systems, and 
also, as was mentioned previously, have a response plan. 
Companies have to have a response plan, they need to know what 
to do when they have been attacked. By all means, contact law 
enforcement.
    There's a lot we can do. There are a lot of resources we 
can bear to solve the problem. Not all of these problems can be 
solved from the desk, from the desktop of a systems 
administrator.
    Again, we need to know how to respond, how to freeze 
evidence, how to establish the logs so that we can go in and 
determine what the methodology was, see if it is common with 
another case we have been working in the past and what 
resources we can bring to bear to work with the problem.
    Mr. Putnam. Mr. Johnson, I understand that the Secret 
Service recently released a report on insider cybercrime 
activities in the banking and finance sector. As part of its 
ongoing insider cyberthreat study, could you elaborate on the 
threats of that study, the difficulties of dealing with an 
insider threat, and the implications that report has for 
combating identity theft?
    Mr. Johnson. Yes, Mr. Chairman. I echo the sentiments and 
statements of the FBI in that we recently had a case involving 
AOL that involved an insider threat, the selling of personal 
identities to spammers for monetary gain.
    With the insider threat, the last 2 years, the Secret 
Service, in conjunction with Carnegie Mellon University CERT 
Coordination Center, collaborated on this insider threat study. 
The threat to critical systems includes individuals who have 
manipulated vulnerabilities within the system for personal 
gain, as is the case I mentioned with AOL. Some of the relevant 
findings of the study were similar to a lot of things that we 
have talked about today, and that is updating firewalls when 
employees leave, taking them out of the access to networks, 
changing passwords. The simplest-type things are being 
overlooked by businesses and IT people.
    Most incidents were not sophisticated or complex. A 
majority of the incidents were thought out and planned in 
advance, and, in most cases, others had knowledge of the 
insider's intentions, plans and activities.
    Like the locks on your doors, changing access to network 
and changing passwords and updating firewalls is a smart 
business practice.
    Mr. Putnam. Mr. Martinez, you mentioned a series of ongoing 
investigations that involve, in some, the theft of 30 million 
credit card account numbers and potential losses of $15 
billion.
    Can you elaborate on how thefts like this grow to such epic 
proportions, and are the penalties for cybercrime under the 
current code commensurate with the damage that is being done?
    Mr. Martinez. Well, of course, a case can be taken to this 
scope by consolidating like cases, and that's one of the things 
we try to do in developing strategies both for proactive 
efforts, and then also once we have complaints that have 
commonalities. And in order to do that, we have to employ 
analytical tools and analysts in a form like IC3 in order to 
determine if we have a problem that goes beyond the scope of a 
single complaint.
    In this case a rather large list of credit information was 
obtained. Again, it involved many different credit card 
companies, and so, again, I think we put the number at 100 that 
were affected, financial services and institutions.
    The idea here is to identify the scope and then work with 
these institutions, work with victims in order to track back. 
Let's see where this threat came from, see if we can't put our 
resources together in order to address the problem and to be 
proactive about the next attack.
    Mr. Putnam. Mr. Johnson, do you wish to add anything to 
that?
    Mr. Johnson. Not at this time.
    Mr. Putnam. Very good. My time has expired. I will 
recognize the distinguished ranking member, Mr. Clay, for his 
questions.
    Mr. Clay. Thank you, Mr. Chairman.
    Mr. Swindle, since your agency carries the responsibility 
for protecting the private information of consumers, what 
additional efforts need to be undertaken by FTC to further 
educate the public and corporate community on issues 
surrounding identity theft, or is education and awareness the 
key to prevention, or are more stringent regulations concerning 
privately held consumer information necessary to improve 
security?
    Mr. Swindle. Mr. Clay, I would hope that we are not, as 
stated, responsible for protecting the privacy of all the 
American citizens. That would be a hell of a big job, and I 
know you didn't mean it exactly that way.
    Mr. Clay. I would want you to.
    Mr. Swindle. We certainly do the best that we can, and we 
are taking every step we possibly can, given the resources we 
have--and this is not a plea for more resources, by the way--to 
help educate, and, through education, to deter the invasions of 
privacy and this theft of this personal identification of which 
we have all been speaking, and the damage it can do to people.
    A part of an education process is dealing with businesses, 
it is dealing with government agencies, it is dealing with 
Members of the Congress, asking them to help us make more 
people, the consumers, aware. It is dealing with the business 
association and working internationally, dealing with cross-
border fraud issues and trying to work with just hundreds of 
agencies.
    We are now, with our identity theft complaint 
clearinghouse, I believe we call it, we are making that 
available to in excess of 1,000 law enforcement agencies around 
the country. We are about to make it available to the Canadians 
on a 24-hour basis. We are working with international groups. 
We are working with local and State law enforcement agencies.
    So, there is a lot going on, but I think that gets to the 
problem, as the chairman had mentioned, and Mr. Clay, I believe 
you mentioned also, the occurrence of these crimes seem to be 
growing no matter what we do. And, it is the proverbial needle-
in-the-haystack operation, except that this haystack is the 
global haystack, and there are lots of needles in there. Trying 
to find solutions and punish those who are guilty is a 
difficult process.
    I don't know that we can solve the problem without massive 
education of customers and business. Then everyone who is 
involved becomes aware of the role that they can play and take 
it seriously. It is going to take a lot more effort. We have 
some, if I remember correctly, about 45 or 50 Congressmen, that 
have participated with a program we tried to initiate 2 years 
ago. We could get what, 395 more that could do it and help us a 
lot. It is just a massive problem. It is going to take 
repetition, repetition, repetition.
    Mr. Clay. What are the main things that the public should 
be aware of? What should they look out for? What advice do you 
give the public about identities?
    Mr. Swindle. Well, just starting off, liken it to an 
automobile. We know automobiles and safety intuitively. We have 
to get the use of computers into that mode of thinking. That 
means first realizing that a computer is a very sophisticated 
thing. It is now just second nature to log on and talk to 
somebody halfway across the world. When you and I were growing 
up, we didn't know how to talk to the community 15 miles away.
    Things have greatly changed. We have to educate people to 
learn. It will literally take an education program that starts 
with young persons. We are not doing enough. But also in the 
business side of the world, it's talking to businessmen and 
board members. They have to take information security and 
privacy seriously. It is their corporation, their business. It 
should be a primary part of the culture of that company to do 
these things right, and then it has to ripple right down the 
stream to the lowest levels.
    Mr. Clay. Thank you for that response.
    Let me shift real quickly to Mr. Johnson, and seeing my 
time is short. It seems to me the responsibility of the Secret 
Service runs concurrent to many other law enforcement agencies 
at all levels of government. Can you update us on any specific 
identity theft prevention activities among groups collaborating 
with the Secret Service, such as the Joint Terrorism Task 
Forces or Operation Direct Action? And are these groups 
improving the methods used to coordinate against suspected 
identity theft activity?
    Mr. Johnson. Yes, Mr. Clay. The Secret Service prides 
itself in the education of local and State law enforcement. We 
have a Secret Service e-information network that is available 
on line. We have a CD-Rom for State and locals. We have best 
practices for seizing electronic evidence.
    Operation Direct Action is working with third-party 
processors. Two of the primary third-party processors of credit 
cards are involved in Omaha, Nebraska, and Columbus, Georgia. 
By working and having agents assigned to those locations, we've 
found that access to the information that they can provide 
gives us quick response to State and locals or first responders 
to either identity theft or credit card fraud. We have seen the 
benefits in a good percentage of the cases that are ongoing and 
other cases that have been concluded.
    Mr. Clay. I thank you for that response.
    And thank you, Mr. Chairman, for your indulgence.
    Mr. Putnam. You are very welcome.
    Mr. O'Carroll, you mentioned that in your work on behalf of 
the President's Council on Integrity and Efficiency on controls 
over Social Security numbers that 9 of 15 inspectors reported 
that their agencies had inadequate controls over the protection 
of Social Security numbers in their data bases. Given the 
extensive information security requirements for Federal 
agencies under FISMA and GISRA, how can this be?
    Mr. O'Carroll. Mr. Chairman, historically the use of the 
SSN was the Federal identifier of employees, and much as we 
found with universities where it was on their identification 
card, in many Federal agencies it was on the identification 
card for the agency. It was posted on walls. Instead of system 
security flaws on it, it was mostly posting an easily 
observable SSN.
    And what we are fearing--we did the study of other 
inspector generals on this thing--is as much as you said there, 
is our feeling is that the first place to start correcting the 
use of the publication of SSNs is within the Federal 
Government. One of the ways that we just changed it recently, 
as probably many of the people in the room are aware, is when 
any check was going out from the Federal Government, in the 
window of it, it had the Social Security number of the 
individual receiving the check. These are all baby steps that 
were taken. We finally have gotten that taken off of the check. 
We have been stopping the publication of it.
    We are doing studies now in terms of the uses of non-
Federal agencies' use of SSNs, for example, colleges and 
universities, and we are trying to do an education program to 
get the SSN taken out of the daily usage. And we figure that 
will be a good way to prevent its misuse in government, and 
misuse period.
    Mr. Putnam. Many companies avoid reporting security 
breaches due to the effect that the news would have on their 
reputation. Is that sound policy? It's certainly to a degree 
understandable. Or does it merely make the problem worse and 
encourage those cybercriminals by having them to believe that 
they won't get caught? We'll begin with Mr. Martinez.
    Mr. Martinez. Well, this issue is addressed across the 
board in some of the cybercrime matters that we address. I know 
when I was an assistant special agent in charge in Los Angeles, 
we worked with the entertainment community on IPR issues, 
intellectual property rights, and there was a bit of a dance 
that we had to do with the industry because they don't like to 
admit that they have a problem. It is bad business sometimes. 
It gives their competitors possibly an edge. And the same thing 
applies to e-commerce businesses, etc.
    So our approach to that is to try to engage to the fullest 
extent we can with those businesses, give them a comfort with 
us, let them know what to expect through training. Again, our 
InfraGard program, that's part and parcel, is to let them know 
what to expect if they do report and the FBI shows up, what we 
are going to be looking for, what we would hope to find when we 
get there as far as the procedures they've put in place to 
maintain evidence.
    Mr. Putnam. Anyone else want to answer that? Commissioner 
Swindle?
    Mr. Swindle. I believe I addressed this in part in my last 
response. There is almost a Washington, DC, ostrich syndrome 
that I think permeates the whole society that when we do 
something wrong, we fear addressing it up front more than I 
think is necessary. I think if we deal with things direct, up 
front, get it out, find a solution, we are far better off. I 
think it speaks well to the reputation of legitimate companies 
that they will do that. To do otherwise is just ignoring a 
problem that will never go away. It will come back, it will be 
found out, and then you are going to deal with why you covered 
it up.
    Mr. Putnam. It is not just Washington, as it might be a 
network problem, too.
    Anyone else want to add to that?
    The President has transmitted to the Senate the Council of 
Europe's Convention on Cybercrime. Given the international 
nature on this, and we certainly have law enforcement 
represented has to operate across borders, how important is the 
ratification of this treaty to improving our ability to 
apprehend cybercriminals? Mr. Martinez.
    Mr. Martinez. Well, absolutely it is important. The FBI has 
made a significant investment in international training and 
trying to work jointly with law enforcement agencies in other 
countries where we know we have problems and issues, where 
attacks are generated, where phishing schemes are located. And, 
again, we are very proactive about that, offering through 
international law enforcement academy several different blocks 
of cybertraining, ad hoc training really, anywhere in the world 
where it's required. We have 47 legal attache offices, about to 
add 3 more, and that's a big part of their job is to put us in 
contact with law enforcement agencies that need that kind of 
help.
    So having those kinds of devices to allow us to solidify 
those relationships, standardize the law and response in areas 
across the world is critical to our being able to address the 
problem here in the United States.
    Mr. Putnam. Mr. Johnson, do you wish to add anything?
    Mr. Johnson. Yes, Mr. Chairman. I would agree and the 
Secret Service would agree that the victimization of Americans 
and of businesses overseas is growing at a rapid pace. The 
world is borderless. The Internet provides the foreign 
criminals easy access to the United States and their citizens 
by quickly getting on line. Many countries have Internet 
access, they have TV access. Foreign public can only buy 
Western products on line. That is their only capabilities. The 
growing number of significant investigations overseas, 
virtually all terrorist investigations have a foreign nexus. 
The field offices that we have established have provided rapid 
response overseas and provided that capability, and it is also 
extending the reach of American law enforcement in general.
    Mr. Putnam. Commissioner, this is my final question, and 
then I will yield back to Mr. Clay. California has a law that 
took effect in 2003 that requires businesses or State agencies 
that maintain computerized data that includes specified 
personal information to disclose any breach of security to any 
California resident whose unencrypted information was or is 
reasonably believed to have been acquired by an unauthorized 
person. What effect do you think that law will have on 
improving information security? And what are your thoughts on 
taking it national?
    Mr. Swindle. Mr. Chairman, as I mentioned in my testimony, 
there certainly are circumstances where a person ought to be 
notified that there has been a breach. However, I don't for a 
minute believe that in every circumstance they should be 
notified. And I think, taken to extreme, that could be an 
enormous burden on businesses, and it would solve no problems. 
I don't think it necessarily would prevent it from happening 
again, and there may very well not be any damage done at all. A 
lot of the information that it is personally identifying is 
publicly known in phone books, for example.
    So I think you would have to deal with those circumstances 
on a case-by-case basis. And, to my knowledge, I think 
California is the only State, at least to date, that has that 
kind of legislation. That's not to say it is probably not being 
considered by many other States, but I think I would move in 
that direction extremely cautiously because I think it could be 
an overkill.
    Mr. Putnam. Mr. Clay, you are recognized.
    Mr. Clay. Thank you, Mr. Chairman.
    I will start with Mr. O'Carroll. Since the release of the 
2003 report on the internal control structures for the use of 
Social Security numbers among Federal agencies, have there been 
any notable improvements reported by agencies that were 
identified as having deficiencies in the methods and practices 
used for protecting Social Security numbers or identifiers?
    Mr. O'Carroll. Mr. Clay, we were going to be doing another 
followup audit on that next year to see what improvements there 
have been. But anecdotally, from other inspectors general and 
from having conferences with them and discussions with them, 
most of those other agencies have all started robust plans on 
correcting the use of SSNs in their agency, and we expect it to 
be a much better audit when we do it next year.
    Mr. Clay. Thank you for that.
    Let me ask Mr. Martinez. Last Friday the Washington Post 
published an article on the increasing number of fraud-related 
investigations by the FBI within the mortgage marketplace, and 
identified my home State of Missouri as a so-called hot spot of 
activity. Can you provide for us any information on the number 
of cases that are specifically related to the use of fake 
identities or straw buyers or forged loan documents in the 
recent upswing of activities? Are you familiar with it at all?
    Mr. Martinez. I am familiar with the article and the 
circumstances; and that would fall under the responsibility of 
our Criminal Investigative Division that has the responsibility 
for traditional white-collar crime cases. I can tell you that 
it is certainly within the realm of possibility that type of 
criminal activity could be part and parcel of mortgage loan 
fraud. Again, identity theft might very well be applied.
    I mean, I think the answer here is that smart criminals 
will figure out a way to make it work for them. And with this 
vulnerability, it is just another vulnerability to be 
exploited, and I think it could be applied. But I couldn't give 
you specific figures, but I can certainly talk to the Criminal 
Investigative Division and get back with you on that.
    Mr. Clay. Thank you for that.
    Let me ask you for one last question. Can you cite for the 
committee specific areas where legal or policy barriers 
continue to impede information sharing or cooperation among 
stakeholders investigating potential identity theft activities?
    Mr. Martinez. I am not aware of any legal impediments. I 
think there is just an awful lot of work to go around. So the 
approach we have to take is to just leverage resources. Again, 
I am not here with my hand out saying we need more bodies. Of 
course I could throw another thousand agents at the identity 
theft problem, and in cybercrime in particular, and not solve 
it and not make a significant dent in what might continue to be 
the problem.
    But that said, we do have many, many initiatives that are 
intelligence-based. I've mentioned IC3 several times. It is 
more than just a place to receive complaints. We take that 
information, we crunch the numbers, we decide where can we 
apply our resources, our cyber task forces' resources, State 
and local resources that can be brought to bear, regional 
forensic labs to address the problem.
    So it is enormous, but I do think that with some 
collaboration, with our partners especially, you know, we have 
mentioned several times with private industry, it is enormously 
important. We can't do this alone. They are often out in front 
of us as far as being able to detect and plan and see threats 
coming. So we need to continue to leverage those resources the 
best we can.
    Mr. Clay. How successful is your agency in apprehending 
those who participate in identity theft, those--especially the 
bigger fish so to say? Pretty successful?
    Mr. Martinez. Well, I guess I would like to say that we 
have had some tremendous successes. Some of the things that 
impede those successes are, again, the international nature of 
the problem. Some of the groups that are perpetrating these 
types of crimes are located in countries where we don't have a 
good established working relationship. We work awful hard at 
it, but there is just--sometimes you can't overcome those 
problems. But, again, it is something that we need to work at 
every day. We do have a good network of legal attache offices 
and training and outreach that goes toward making those kinds 
of strides.
    Mr. Clay. Thank you for that response, Mr. Martinez. I 
yield back the balance.
    Mr. Putnam. Thank you, Mr. Clay.
    Before we wrap up this panel, I would give all of you the 
opportunity to have a final word or answer a question you wish 
you had been asked, whatever the case may be. And we will begin 
with Mr. O'Carroll and go down the line and just give you a 
moment, if you have anything that you would like to say, and 
then we will seat the second panel.
    Mr. O'Carroll.
    Mr. O'Carroll. The only thing I have to add, Mr. Chairman, 
is--continuing on with what Mr. Martinez said, is that I think 
nowadays since we all have so much more work than we have 
people to handle it, that the wave of the future is going to be 
cooperation between all Federal law enforcement agencies and 
also working with local agencies. And by doing that, we are 
using the task force concept which is being used right now very 
effectively in the terrorism arena.
    In the identity theft arena, I think that is the solution. 
We can share information, it is easier to do it, there is less 
structure--or strictures in relation to disclosures of 
information on a task force. And I think that is something that 
we are going to be seeing a lot more of. We participate in 
about six identity theft task forces around the country that 
have been very successful.
    Mr. Putnam. Mr. Johnson.
    Mr. Johnson. In closing, Mr. Chairman, I would agree with 
Mr. O'Carroll, that our Electronic Crimes Task Force is--the 15 
that we have established, we are looking to double that number 
in the next 3 years. To further Mr. Clay's earlier question to 
Mr. Martinez about the big fish, are we--I would just like to 
say to the chairman that the Secret Service is, through 
prevention, our training at the local levels all the way up to 
the disruption of the major players in financial crimes and 
identity theft, that we are making inroads every day with these 
investigations. That along with the Electronic Crimes Task 
Forces in the United States, the Secret Service is not only 
dedicated to the problem, but it is a priority of our agency.
    Mr. Putnam. Thank you.
    Mr. Martinez.
    Mr. Martinez. First, I want to tell you how much I 
appreciate and the FBI appreciates the opportunity to come and 
speak to you today and talk about this important crime problem. 
And I want to tell you how much we appreciate Congress' support 
in enacting the SLAM-Spam Act, the identity theft penalty 
enhancement. These are the types of real tools that we can go 
out and take and try to make an impact on this crime problem. I 
just appreciate the opportunity to speak to you today. Thank 
you.
    Mr. Putnam. Thank you, sir.
    Mr. Swindle.
    Mr. Swindle. Mr. Chairman, someone, I've forgotten whether 
it was you or Mr. Clay, asked the question to another 
participant about whether or not the penalty matched the crime. 
I have been a Federal Trade Commission for roughly 6\1/2\ years 
now, and one of my great frustration is to see one scam artist 
after another come through our process. Our staff does 
remarkable work in finding them, building the case, but we are 
a civil penalty organization and do not have criminal 
authority. Oftentimes we find we catch the spammers, we catch 
the scam artists, and so much of it is being done 
electronically now, and we expend great resources to get them, 
and they have nothing. It is just a difficult task. I don't 
think the penalties anywhere come close to matching the crime.
    One of my greatest frustrations is that it appears as 
though some of this conduct is almost just the price of doing 
business when you get caught because the penalty is so 
insignificant relative to the size of the profits made.
    Another one is oftentimes we find people after we track 
them down and they have ripped off the consumers for 
multimillions of dollars. Guess what? They have no assets 
except perhaps a million-dollar house in Florida which we can't 
touch because of the homestead exemption. We ought to find ways 
to adjust the laws so that you don't get homestead exemption if 
you are engaged in criminal activity or alleged criminal 
activity and you settle.
    It is a big problem. I think it is demoralizing to those 
who try to apprehend these people, not to mention the poor 
victims of some of these crimes, which it is in staggering 
proportions. And I think that is something we should seriously 
look at.
    Mr. Putnam. Thank you very much. I want to thank all of 
you. And at this time we will dismiss panel one, and the 
committee will recess for such time as it takes to set up the 
second panel.
    [Recess.]
    Mr. Putnam. The subcommittee will reconvene. I would like 
to invite our second panel of witnesses and anyone accompanying 
them to please rise and raise your right hands for the 
administration of the oath.
    [Witnesses sworn.]
    Mr. Putnam. Note for the record that all the witnesses 
responded in the affirmative.
    We will move directly to testimony beginning with Howard 
Schmidt. Mr. Schmidt joined eBay as vice president and chief 
information security officer in May 2003 after retiring from 
the Federal Government with 31 years of public service. He was 
appointed by President Bush as the vice chair of the 
President's Critical Infrastructure Protection Board and as the 
special advisor for Cyberspace Security for the White House in 
December 2001. He assumed the role of the Chair of the Board in 
January 2003 until his retirement in May 2003.
    Welcome to the subcommittee. You are recognized, sir, for 5 
minutes.

STATEMENTS OF HOWARD SCHMIDT, FORMER WHITE HOUSE CYBERSECURITY 
    ADVISOR, AND VICE PRESIDENT, CHIEF INFORMATION SECURITY 
  OFFICER, eBAY, INC.; BILL HANCOCK, VICE PRESIDENT, SECURITY 
      PRACTICE & STRATEGY, CHIEF SECURITY OFFICER, SAVVIS 
COMMUNICATIONS CORP.; BILL CONNER, CHAIRMAN AND CHIEF EXECUTIVE 
 OFFICER, ENTRUST, INC.; AND JODY WESTBY, CHAIR OF PRIVACY AND 
COMPUTER CRIME COMMITTEE, AMERICAN BAR ASSOCIATION, SECTION OF 
      SCIENCE AND TECHNOLOGY LAW, AND MANAGING DIRECTOR, 
                     PRICEWATERHOUSECOOPERS

    Mr. Schmidt. Thank you, Mr. Chairman and Ranking Member 
Clay. Thank you very much for the opportunity to be here today.
    I would like to keep my verbal comments relatively brief in 
lieu of all the questions that you had last time and I am sure 
you will have again. But I want to basically focus my remarks 
in three major areas: One, what eBay is--the company itself is 
doing relative to the leadership, relative to the area of on-
line identity theft and phishing, as you have cited to, 
accurately so, a growing threat to consumers, business, Federal 
employees, and basically anybody that uses the Internet; also, 
some of the industrywide efforts that are taking place to 
collectively combat this area; and then some thoughts I think 
that I want to share relative to the public-private partnership 
that is so crucial to our success in moving forward on the 
cyberspace security area, but more specifically on the on-line 
identity management.
    You know, you have heard the numbers from the FTC. They 
reported earlier this year that the identity theft topped the 
list of consumer complaints for the 4th year in a row, about a 
33 percent increase in what we have seen over the previous 
years, and even that didn't tell the full story. In June of 
this year, the Forrester Report showed approximately 9 percent 
of U.S. on-line consumers, about 6 million houses that use the 
Internet, that experienced identity fraud. Now, when you look 
at the overall international user base on the Internet, it is 
estimated to be about 840 million users currently. So we are 
talking about just the U.S. portion of that. And what I 
probably worry about most more than anything else is the fact 
that the numbers that we have mentioned are potentially capable 
of growing if we don't take action quickly and we don't move in 
a cohesive measure between private sector and public sector.
    One of the reasons, of course, as some of the previous 
folks testified about, and that is this issue around phishing. 
What we have seen is an evolution as we have been very, very 
concerted about better cybersecurity for enterprises. You 
mentioned the California 1386 law relative to reporting things, 
Sarbanes-Oxley-Graham. You list the name of things that have 
given us incentives to do things better when it comes to 
cybersecurity, and corporations both publicly traded as well as 
privately owned are doing more. We are starting to see the 
shift, the attack factor shift to the less sophisticated, the 
end users, the cable modem users.
    You know, we have seen instances even recently where 
phishing e-mails have come reported to be from the FBI, the 
FDIC telling people that if you don't fill out this form and 
give us all your information, Social Security number, mother's 
maiden name, dog's name, address, high school, we are going to 
shut down your bank account, and that is tremendously scaring 
to the uneducated and the non-IT professional.
    But it is interesting that this is not a new phenomenon. We 
have been dealing with this for over 20 years. In the 1980's, 
we were actually teaching classes at the Federal law 
Enforcement Training Center in Georgia on what we called at 
that time carting, with actually doing shoulder surfing, going 
to airports, New York La Guardia, and looking at people as they 
used calling card numbers and credit card numbers to make calls 
and using that for identity theft. And what we have seen as of 
about 2 or 3 years ago when this new spate of phishing started, 
they actually started from a perspective of trying to grab on-
line time for free. It wasn't about identity theft, it wasn't 
about credit card fraud, it was getting on line for free.
    And then what happened is that evolved, and they said, 
well, listen, we can make money off of that. And I think all 
the previous witnesses testified as well that this has now 
moved from clever hobbyists and people thinking they are being 
funny and hacking to where it is true criminal enterprises. And 
other reports came out this year that estimated 57 million 
users on line had received phishing e-mails. I am averaging one 
a day now from major institutions all around the world.
    Mr. Putnam. Excuse me. Can I just interrupt? Does that 
include the Saudi plea?
    Mr. Schmidt. Yes.
    Mr. Putnam. Because that has to be at least two-thirds of 
it.
    Mr. Schmidt. That is a big chunk of it. Absolutely correct. 
And then, of course, we add into the political fundraising 
portion of it as well. And what happens now, we are seeing a 
more focused, what is being referred to by Marcus Jacobson, who 
did some analysis while at RSA Security Laboratories, what they 
call context attacks, where the phishing attacks are the same 
way. You just recently bought a new car, here is information 
relative to that, and really convincing you that this is a 
legitimate e-mail. So consequently, you know, this is indeed a 
new challenge we have not seen before.
    Now, what are some of the things we are doing? One, first 
and foremost, many of us, particularly those of us who have 
multi-multi-million-user bases like we do, are doing a 
continuous education process. We've changed our business 
process, so we no longer send active links in e-mails that we 
send to customers anymore. As a matter of fact, we tell them, 
if you want to do a transaction, type in the URL or use a 
bookmark. But basically we have also spent a tremendous amount 
of resources hiring people to do full time where we have the 
ability to identify these phishing sites on a near real-time 
basis and take them down.
    Now, in closing, I just want to make one quick comment 
relative to the overall homeland security piece, because as we 
were doing the national strategy to secure cyberspace out of 
the White House, some government agencies didn't feel that 
identity theft and identity management were homeland security 
issues, and I truly believe they are.
    One, first and foremost, no better tool--as we get better 
about physical identity, no better tool than for a terrorist or 
an organized crime to use--criminal person to use than your 
good name to be able to assume your identity and be able to 
pass through airports. Second, it becomes a nexus. And as you 
see in my written testimony that we are seeing 30,000 users 
that are being compromised on a regular basis that then can be 
used to launch denial of service attacks. And, last, to become 
a gateway into corporate enterprises such as critical 
infrastructure. And it is important to make sure that we do 
everything we can to stop that from taking place.
    So, with that, I thank you for the opportunity again, and I 
stand by for any of your questions you may have. Thank you.
    Mr. Putnam. Thank you very much.
    [The prepared statement of Mr. Schmidt follows:]

    [GRAPHIC] [TIFF OMITTED] T8486.051
    
    [GRAPHIC] [TIFF OMITTED] T8486.052
    
    [GRAPHIC] [TIFF OMITTED] T8486.053
    
    [GRAPHIC] [TIFF OMITTED] T8486.054
    
    [GRAPHIC] [TIFF OMITTED] T8486.055
    
    [GRAPHIC] [TIFF OMITTED] T8486.056
    
    [GRAPHIC] [TIFF OMITTED] T8486.057
    
    [GRAPHIC] [TIFF OMITTED] T8486.058
    
    Mr. Putnam. Our next witness is Dr. Bill Hancock. Dr. 
Hancock is the vice president of Security Practice & Strategy 
and the chief security officer of SAVVIS Communications, a 
large global telecommunications hosting and IT services 
company. He has designed thousands of networks and has been 
involved in hundreds of hacker investigations in his career of 
over 30 years in the high-tech industry.
    Dr. Hancock has written extensively on security and 
networking. He is well known in the industry as a technical 
visionary due to his various original inventions such as 
stealth firewall technology and intrusion detection and 
prevention technologies. Dr. Hancock is also a founding member 
and immediate past chairman of the Internet Security Alliance.
    Welcome to the subcommittee, sir. You are recognized for 5 
minutes.
    Mr. Hancock. Thank you, Mr. Chairman, Mr. Clay, members of 
the subcommittee. I would like to start off by saying I'm 
probably the geek that you are going to have to deal with 
today, and a geek with nervous social skills.
    With that, I would like to do--we have heard from everyone 
today about how bad the identity theft problem is. I would like 
to do a couple things and point out a couple of little broader 
topics having to do with identity theft, and then also offer 
some ideas in terms of correction.
    One of the problems that we have with the basic concept of 
identity is, what is something? And that gets not even to the 
point of what is money. We often think very much about what 
happened on September 11. I had friends that were in one of the 
aircraft that hit the World Trade Center, I have acquaintances 
that were involved in the Pentagon, and I can tell you 
categorically that if we suffered a cyberattack against our 
financial resources of this Nation, it would cause trouble that 
you cannot possibly imagine. I will say that specifically for 
this reason: Money is an entry in a data base; it is not a pile 
of cash in a vault, it is not a bunch of collateral that is 
spread around evenly throughout different organizations. 
Anymore when you present a credit card or you go to an ATM 
machine, and you take that credit card in that ATM machine and 
you swipe the magnetic strip, everything in the middle assumes 
that is really who you say you are, and that the person who 
owns that card and the person that possesses that card is the 
person who is supposed to have that card.
    We know from past experience, and I am sure that other 
panelists will agree with this, that there are an enormous 
number of ways to go back and spoof credit cards, to create new 
credit cards, to go back over and create false magnetic strips 
and all kinds of other mechanisms. And those things are widely 
available on the Internet and almost anywhere you would like to 
go.
    Specifically, though, we have other types of attacks that 
happen because of identity theft because we continue to use 
protocols which are 30 years old. Specifically, when we sit 
down and consider the fact of things like denial of service 
attacks, which can be debilitating over a network, that can 
take out a complete Website, that can take out e-commerce, that 
can knock out a company completely from its network presence, 
what we find is that many times those attacks are caused by 
spoofing of source addresses or spoofing of destination 
addresses because we do not properly identify devices that join 
the network. If you are a device, and you get on the network 
and you send the right formatted message, something gives you a 
TCP/IP address, you are allowed to join the network, and you 
can go back and do whatever you want to do.
    In the cases of things like distributed denial of service 
attacks, there are literally networks of hundreds of thousands 
of zombies, and there is more and more being created every day. 
As a matter of fact, I read an estimate just yesterday morning 
that says that there is over 30,000 machines a day are being 
acquired and put into zombie networks. These particular 
networks can be used to go back and spoof source addresses 
because we do not adequately identify machines, identify 
technologies that join the networks, and then those source 
addresses can be used to go back and debilitate a company that 
is legitimately engaged in e-commerce all over the network.
    So as we go back and we examine identity management, I 
think one of the things that is very important to understand is 
that we not only have the problem that we all hear about 
consumer identity being stolen, that our consumer debt and 
consumer confidence is being eroded, but simultaneously we are 
also having the problem that networks themselves are being 
killed off from the simple fact that we have network technology 
that is being used that was never developed with security in 
mind. There are no controls in the TCP/IP protocol sweep 
whatsoever to go back and deal with the identity of a device 
that joins the network. There is nothing within the protocol 
that is used for Web sciences such as XML and HTML to properly 
authenticate and identify an individual or identify a 
particular program that may want to go back and access them 
back in.
    As a brief example, one of the more classic things that 
happens is when a front-end data base that is located on a Web 
surfer wishes to discuss something with a back-end data base 
that may be a legacy mainframe, what we find very often is that 
there is a singular identity that is exchanged between the two 
data bases. And if you look at every single data base 
transaction that happens, it comes from that same singular 
identity no matter who came in on the front end and no matter 
what you are asking for on the back end. And that is because of 
improper identity management at the program level.
    So, so far we have discussed the problems of identity 
management at the device level, at the program level. We know 
of the problems with the individuals.
    So, therefore, what kind of things do we need to do? One of 
the things we need to very seriously think about doing is a 
heavy lift of different protocols that are used in network 
communications. This is a very big deal because it allows us to 
properly identify devices and properly identify services, 
properly identify applications that are actually transacting 
over the networks. Eventually security should be invisible. It 
should be just like you walk in and you startup your car, you 
put a key in the ignition, and all kinds of magic happens. The 
fact that there is 28 processors under the hood and there is 
probably a network running around inside the car is totally 
irrelevant to you. And that is the way security should be over 
time. We can't do that until the protocols themselves have the 
controls and capabilities built into them.
    We need to start thinking about authentication 
implementation and audit capabilities at all companies. And, 
frankly, I am more concerned about companies involved in things 
like power grid management, water networks, food processing, 
food movement-type of networks, because all of these use the 
same protocols, all of these have exactly the same problem, yet 
the level of criticality of these particular networks and these 
particular types of infrastructures are more critical in terms 
of what we do.
    A good example is air-to-ground, ground-to-air uses a 
specific set of protocols that are bizarre and unique. Those 
are all being migrated right now to TCP/IP, which means very 
soon ground-to-air and air-to-ground communications protocols 
will be available to Internet connectivity.
    We will also find that there needs to be multiple methods 
of authentication, not just one. And the reason being is that 
if you compromise one, you don't want to compromise all of 
them. You need to take the time to establish the different 
types and different levels of authentication to have a 
defensive, in-depth type of profile. We need to think about 
incentives through industry to go back and help people realize 
that it is a good thing, a profitable thing to instill 
security, but also to go back over and deal with the identity 
management problem and to deal with the situation.
    We need to take an international approach to all of this, 
and this may even include modifications of trade agreements to 
ensure that ourselves, our trading partners and everyone are 
engaged in proper identity management when we start moving 
things around between different areas, because the Internet is 
truly without borders.
    And we also need to go back and think about leading from 
the front. Different companies, different organizations and 
everything are not incented, they are not told, they are not 
provided legislative requirements for CEOs to make the proper 
types of decisions. I deal with this all the time. I go out and 
I suggest to a customer, please improve your security. And they 
say, why? And the answer I give back to them as a typical rule 
is three things: Because of what I call a PAL technique of PR, 
assets, and the law. There is reasons to protect your brand, 
there are reasons to protect your assets, and there is laws 
that you must adhere to.
    That tends to be a good business case, but that is not the 
real reason why people should put in security. They should go 
back and install identity management because it is the right 
thing to do.
    With that, Mr. Chairman, that concludes my opening remarks. 
I would be happy to take some questions.
    Mr. Putnam. Thank you, Dr. Hancock.
    [The prepared statement of Mr. Hancock follows:]

    [GRAPHIC] [TIFF OMITTED] T8486.059
    
    [GRAPHIC] [TIFF OMITTED] T8486.060
    
    [GRAPHIC] [TIFF OMITTED] T8486.061
    
    [GRAPHIC] [TIFF OMITTED] T8486.062
    
    [GRAPHIC] [TIFF OMITTED] T8486.063
    
    [GRAPHIC] [TIFF OMITTED] T8486.064
    
    Mr. Putnam. Our next witness is Bill Conner. Mr. Conner is 
among the most experienced security and infrastructure 
executives worldwide, with a career that spans more than 20 
years across numerous high-tech industries. Mr. Conner joined 
Entrust as its president and CEO in April 2001. In 2003, Mr. 
Conner received the corporate CEO award as part of the annual 
Tech Titans Award program. Most recently he has been a leader 
in the effort to elevate information security to a corporate 
governance issue and to fashion a public-private partnership to 
protect America's critical infrastructure.
    Welcome to the subcommittee, Mr. Conner. You are recognized 
for 5 minutes.
    Mr. Conner. Thank you, Mr. Chairman. Good afternoon. 
Chairman Putnam, Representative Clay, and members of the 
subcommittee. Thank you for the opportunity to provide 
testimony on this important subject.
    My name is Bill Conner. I am chairman, president, and CEO 
of Entrust. In my testimony today I will address the threat of 
identity theft and phishing. I will also examine what Congress 
can do about it.
    I want to be very clear in my message: Identity theft and 
phishing threaten not only to undermine the trust in business 
and the Internet, but also to disrupt our national economy. We 
need to protect all Internet users, not just the upper tier. 
Identity theft and phishing do not discriminate between the 
haves and have-nots, and corporate programs aimed at protecting 
only the most valued customers won't solved the problem. These 
are not isolated threats, but part of a broader cybersecurity 
challenge.
    I would like to first address why identity theft and 
phishing are serious problems. Just as the Internet has 
supercharged commercial transactions, it has also supercharged 
cybercrime. When the Internet was used mainly to communicate 
and access information, the lack of security didn't much 
matter. Now that it is used for on-line transactions and 
critical information, the absence of security is truly a big 
problem. It is as if consumers and businesses that rely on the 
Internet have wandered into a dangerous neighborhood of cheats, 
pickpockets and thieves and don't even know it. The fact that 9 
percent of U.S. on-line consumers have experienced identity 
theft and that phishing attacks are now growing at 50 percent 
per month show that the little yellow locks on your desktop 
that are supposed to maintain law and order on the Internet are 
inadequate.
    The obvious question is why? Why has the market been so 
slow to respond? As a result of my role at Entrust and my 
experience as cochair of two major task forces on information 
security, I have become convinced that the only way for 
enterprises to address cybersecurity is to make it an executive 
management priority with board oversight. This is not the case 
today.
    There are several reasons for the lack of progress. One, 
companies don't know what to do. Many companies don't 
understand the scope or the threat and how to respond. As a 
result, they pretend the problem doesn't exist, and, if it 
does, it won't hurt them.
    Second, it is not a corporate priority. Even if they 
understand it, many firms refuse to make it an executive 
priority. They continue to treat cybersecurity as a technical 
issue and one that can be delegated and relegated to the CIO.
    Government regulations are unclear. A raft of legislation 
has been passed in recent years including GLB, HIPAA, 
California's Senate bill 1386, and most recently section 404 
Sarbanes-Oxley. Until there is better understanding of what it 
takes to comply and the penalties for the failure to do so, 
progress will be slow.
    And, fourth, technology vendors aren't doing enough. 
Vendors share in this blame. We have been criticized for 
overhyping solutions, failing to correct and connect products 
to business needs, ignoring ways to measure the return on 
investment, and producing poor-quality products that constantly 
require patching.
    That is why I urge you to consider the road to information 
security lies through corporate governance. If the government 
and private sector are to secure their information assets, they 
must make cybersecurity an integral part of internal control 
and policies. Like quality, cybersecurity is a journey of 
continuous improvement, not a one-time event. The No. 1 
priority for Congress should be to create a bright light 
between acceptable and unacceptable behavior. As long as the 
line is fuzzy, the market will be caught in the cybersecurity 
paradox. Everyone knows there is a problem, but in the absence 
of clear solutions or penalties, they are waiting for someone 
else to take the lead.
    I would offer the following recommendations for your 
consideration: One, Congress should demand that Federal 
agencies purchase and deploy cybersecurity technologies. Mr. 
Chairman, as part of your oversight of FISMA, I would urge you 
to initiate a dialog about how to drive deployment of security 
technology that Federal agents have purchased but left sitting 
on the shelf.
    Two, Congress should stipulate that cybersecurity measures 
are an explicit part of Sarbanes-Oxley section 404. By stating 
that section 404 Sarbanes-Oxley applies to cybersecurity 
controls, Congress could encourage publicly traded companies 
like mine to make information security governance a corporate 
policy and priority.
    Third, the Federal Government should lead by example. 
Congress should discourage Federal agencies from purchasing 
products from companies with inadequate cybersecurity, as well 
as create incentives for those that implement formations of 
cybersecurity governance programs. An example of such a program 
can be found in the report, ``Information Security Governance: 
A Call to Action,'' that was released by the National 
Cybersecurity Partnership Task Force on Corporate Governance in 
April of this year.
    Mr. Chairman, the cybersecurity threat is real and holds 
potential to incapacitate the Internet and our economy. The 
private sector has been much too slow to respond to this 
challenge. I would urge you and your colleagues in Congress to 
spur a rapid and constructive market response.
    Mr. Chairman, I would personally like to thank you for your 
leadership and your staff's in taking the lead and the 
initiative here in this area.
    Mr. Putnam. Thank you very much, Mr. Conner.
    [The prepared statement of Mr. Conner follows:]

    [GRAPHIC] [TIFF OMITTED] T8486.065
    
    [GRAPHIC] [TIFF OMITTED] T8486.066
    
    [GRAPHIC] [TIFF OMITTED] T8486.067
    
    [GRAPHIC] [TIFF OMITTED] T8486.068
    
    [GRAPHIC] [TIFF OMITTED] T8486.069
    
    [GRAPHIC] [TIFF OMITTED] T8486.070
    
    [GRAPHIC] [TIFF OMITTED] T8486.071
    
    [GRAPHIC] [TIFF OMITTED] T8486.072
    
    [GRAPHIC] [TIFF OMITTED] T8486.073
    
    [GRAPHIC] [TIFF OMITTED] T8486.074
    
    [GRAPHIC] [TIFF OMITTED] T8486.075
    
    [GRAPHIC] [TIFF OMITTED] T8486.076
    
    [GRAPHIC] [TIFF OMITTED] T8486.077
    
    [GRAPHIC] [TIFF OMITTED] T8486.078
    
    Mr. Putnam. Our next witness is Jody Westby. Ms. Westby 
recently joined PricewaterhouseCoopers as a managing director. 
Prior to joining PricewaterhouseCoopers, Ms. Westby held 
several positions in the IT field including serving as 
president of her own company, launching an IT solutions company 
for the CIA, and managing the domestic policy department for 
the U.S. Chamber of Commerce. She is the chair of the American 
Bar Association's Privacy and Computer Crime Committee, and was 
Chair, coauthor and editor of its International Guides to 
Cybersecurity, to Privacy, and to Combating Cybercrime.
    Welcome to the subcommittee. You are recognized for 5 
minutes.
    Ms. Westby. Thank you, Mr. Chairman, Mr. Clay. I appreciate 
the opportunity to be here this afternoon. I would like to 
clarify at the outset that my remarks, my testimony, is in my 
individual capacity and is based on my own background and 
experience. It does not necessarily reflect the views of the 
American Bar Association or PricewaterhouseCoopers.
    I applaud your attention to this critical issue. The 
security breaches that allow access, unauthorized access, to 
personally identifiable information go beyond unauthorized 
credit card charges, although that is in and of itself a grave 
issue. This data also feeds terrorist organizations, organized 
crime, and other bad actors that can use this information to 
exploit us for their own good, and to launch asymmetrical 
attacks against us.
    Because 85 percent of our information infrastructure in 
this country is owned by the private sector, the only way we 
can control these risks and protect our national and economic 
security is to protect the critical infrastructure of the 
companies. Herein lies the problem. Technical solutions alone 
will not secure our networks.
    Time and again over the past decade, hardware and software 
has held hope that we could turn the tide. But the truth is the 
bad guys are winning. The root of the problem is that there is 
a lack of oversight and governance of enterprise security 
programs by senior management and boards. Quite simply, we must 
change the paradigm for information security.
    Part of the problem is perception. Most people think of 
information security as a technical issue. It is really a 
multifaceted issue that requires a multidisciplinary approach. 
It is multifaceted because it involves privacy and security and 
cybercrime. It is multidisciplinary because it requires you to 
dovetail the legal, operational, managerial, and technical 
considerations of all three of those issues piled in with the 
business plan that sets the architecture of a company. It is a 
complicated process.
    I believe the main reason privacy has taken off is because 
people perceived privacy--CEOs and boards--readily at the 
beginning as a policy issue. They readily appointed a chief 
privacy officer, they put out policy statements, and privacy 
was accepted as a corporate governance issue.
    Security, on the other hand, is still perceived as a geek 
issue. CEO and boards are afraid of becoming geeks. The primary 
reason senior management and boards don't want to take on these 
issues is because they don't know how to approach it from a 
governance perspective. They think they have technical people 
to take care of the computers, so why should they worry about 
it; they hired them; that is their responsibility.
    That is the wrong conclusion. Information and communication 
technology comprises one of the largest line items in corporate 
budgets. Officers and directors have a responsibility to 
exercise oversight over this equipment for the very reason that 
the viability and profitability of their corporation is 
dependent on it. Also, 80 percent of corporate assets today are 
digital. It is clear that directors and officers have a 
fiduciary duty of care to protect business assets. There also 
remains a high incidence of insider attacks, yet these are the 
very people who are under the direct control of boards and 
senior management. Companies also have a patchwork of laws and 
regulations they must comply with in the area of privacy and 
security, and compliance has always been viewed as a governance 
issue.
    Studies have shown that cyberattacks can impact market 
share and share price, two key areas of responsibility for 
officers and directors. A Delaware derivative shareholder case, 
Caremark, in 1996 was brought to the attention of the 
information security world because it emphasized that boards 
have to ensure that their corporate information reporting 
systems are, in concept and design, adequate.
    And the last reason why officers and directors need to pay 
attention to this is because cyberattacks are so common today. 
They are in the daily news. Leaving networks unsecured is the 
equivalent of leaving the R&D lab door unlocked.
    There are other consequences also that require 
consideration, one which was brought up by my colleague today 
about the inability to track and trace cyber incidents. Cyber 
incidents frequently pass through many countries, and we 
involve international cooperation of law enforcement, we have 
dual criminality issues, we have extradition issues. But 
terrorists and organized crime are exploiting this inability to 
track and trace cyber incidents, and they are using that as a 
way then to obtain this information and use it for trafficking 
of drugs, money laundering, and purchasing weapons and 
supplies. Corporations and data banks are their soft targets, 
and this puts us all at risk.
    Quite simply, corporations have to begin viewing security 
as an enterprise issue that is also a governance issue. 
Prevention of attacks is the best problem, and Congress can 
help them do that by providing tax credits to corporations that 
implement enterprise security programs. Such credits could 
encompass risk assessments, implementing best practices and 
standards, establishing internal controls, integrating 
security, and of capital planning and training.
    Another initiative could provide some funding grants to 
help advance models for effectively measuring return on 
investment for information security programs, and other tools 
that would help boards and senior management through the 
decisionmaking progress.
    Last, I want to stress that this is not just a U.S. 
problem, it is a global problem. The global security of the 
Internet has never been more important. We are close to a 
saturation point among the English-speaking populations in the 
world. Connectivity in the future will be in Asia-Pacific, 
Europe, and Latin America, in that order.
    In a globally connected network, we are only as secure as 
our neighbors, and we must help them if we are to help 
ourselves. We have to help them draft privacy, security, and 
cybercrime laws that are consistent with FISMA and the global 
framework; to help them understand the nexus between privacy, 
security, and cybercrime, and how to build enterprise security 
programs using the best practices and standards; and, as our 
earlier panel said, to train law enforcement and judges and 
prosecutors.
    The good news is this all repeatable. In the past several 
years I have done a lot of work in developing countries. Road 
shows with consistent materials trotted around the globe would 
be very effective.
    I am sorry, Mr. Bordes, do you have the three books that I 
brought up here? Could you please share those with Congressmen 
Clay and Putnam?
    These books are available. The American Bar Association's 
Privacy and Computer Crime has put its money where its mouth 
is. These books are free to people in developing countries. 
That is 180 countries around the world, they are free to them, 
and they set out all the issues of privacy, security, and 
cybercrime, and how to develop an enterprise security program. 
Our books would significantly improve our own security and 
advance world peace if we were able to get them into audiences 
as workshops and textbook materials.
    Thank you very much for your interest, and I await your 
questions.
    Mr. Putnam. Thank you very much.
    [The prepared statement of Ms. Westby follows:]

    [GRAPHIC] [TIFF OMITTED] T8486.079
    
    [GRAPHIC] [TIFF OMITTED] T8486.080
    
    [GRAPHIC] [TIFF OMITTED] T8486.081
    
    [GRAPHIC] [TIFF OMITTED] T8486.082
    
    [GRAPHIC] [TIFF OMITTED] T8486.083
    
    [GRAPHIC] [TIFF OMITTED] T8486.084
    
    [GRAPHIC] [TIFF OMITTED] T8486.085
    
    [GRAPHIC] [TIFF OMITTED] T8486.086
    
    [GRAPHIC] [TIFF OMITTED] T8486.087
    
    [GRAPHIC] [TIFF OMITTED] T8486.088
    
    [GRAPHIC] [TIFF OMITTED] T8486.089
    
    [GRAPHIC] [TIFF OMITTED] T8486.090
    
    [GRAPHIC] [TIFF OMITTED] T8486.091
    
    [GRAPHIC] [TIFF OMITTED] T8486.092
    
    [GRAPHIC] [TIFF OMITTED] T8486.093
    
    [GRAPHIC] [TIFF OMITTED] T8486.094
    
    Mr. Putnam. Mr. Schmidt and Mr. Conner, through your 
extensive work on information security issues, what conclusions 
have you drawn about why corporate America is not taking the 
problem with information security seriously enough?
    Mr. Schmidt. Well, I am not sure that I totally agree that 
it is not being taken seriously. I think, as has been pointed 
out more than once, there is a greater recognition now more so 
than ever before of the tremendous importance that 
cybersecurity is, but it is very complex. It is not as if we 
designed a system to eventually become secure. Many 
corporations that I see literally around the world have built 
systems that they put a system in place, and then they add 
another piece on top of it, so it has been very difficult.
    What happens in the past couple years, now we recognize 
obviously the critical infrastructure protection piece and the 
governance pieces, as Mr. Conners related to, where we have 
seen a lot more intended dollars and efforts put into the 
cybersecurity. But it is a complex issue, and is not something 
you can just flip a switch and turn it over. It will take a 
couple years by the time we get operating systems and 
engineering design and quality processes in place to make it be 
able to respond and say, yes, we have much better security now 
than we have in the past.
    Mr. Putnam. Mr. Conner.
    Mr. Conner. Simply, they are not taking the time. And if 
you take the time, the question is where you start. That is why 
we spent considerable amount of time on a framework, because I 
personally believe, as many companies do, you need a framework 
to systemically assess your business for where the high risk is 
and how do you get a baseline to measure it. Once you have 
that, then you can apply it. It is a very simple process to get 
started, but if you don't know where to start, all your 
journeys will take you somewhere, but maybe not where you want 
to go, and you won't get a return on investment, and you won't 
be more secure.
    I think that starts with the senior management executives 
and board saying, we are going to take a framework that exists 
now, it is public, it has been there for 6 months, and get 
started. And that means you can't delegate it to a CIO; you 
have to assess your own business needs and risks. And that is 
something in today's environment; many corporations do it, and 
many more don't do it. And I can assure you, in the ones I talk 
to, all of them are concerned about the liability of that 
assessment. It is a litigious society, and in this environment 
with class actions and others, that evidently comes through 
every discussion.
    Mr. Putnam. Dr. Hancock, do you wish to add anything to 
that?
    Mr. Hancock. I have two perspectives on it, sir. One is I 
deal with the same folks that Mr. Schmidt and Mr. Conner deal 
with in many respects because a lot of us all have the same 
kind of customers. It has been my experience that most board of 
directors-level folks have a very limited knowledge of 
security, and a lot of that is because security is not personal 
to them. They don't understand even the basics.
    And I will give an example, sir. My son is 15 years old. 
When he was 7 years old, someone tried to kidnap him. Because I 
am a security person and by definition paranoid, when he 
started--at 4 years old I started him in Taikwando. When the 
person grabbed my son, my son dislocated his kneecap and four 
of his knuckles. As a result of that, I believe that assets 
should be self-defensible, and includes my family, includes my 
children, includes my home, whatever the case may be.
    Most people don't look at security that way. To them, 
security is managed and dealt with by someone else, and, just 
like Mr. Conner said, a lot of times delegated to the CIO. Many 
times the CIO has no capabilities or understanding of what the 
security issues are. It is chopped out of the budget. It is 
considered to be something that is more of an irritant than 
something that needs to be done.
    So it's not part of the corporate agenda overall. The 
second problem runs in, just from a pure technology 
perspective. Very few people in the business really understand 
how to secure things correctly. One of the problems we have is 
we continue to deploy technologies that are not secure in 
nature, and then we go back and try to provide technology to 
secure that.
    As a case in point in my own company, I operate well over 
50,000 routers. Of those 50,000 routers, I have over 11,000 
firewalls. I know categorically that those firewalls cannot 
protect my network or my customers from everything that will 
come by, because the oppositions are far more creative and have 
a lot more time than my security people do.
    As a result of that, we are in a constant challenge from a 
pure security perspective. How do you stop things from 
happening when the technology doesn't exist for us to identify 
who is launching an attack or identify a way for us to go back 
and trace it back to figure out where it is coming from, just 
the very basics? So you have a secondary problem that if the 
board of directors did come down tomorrow and they did embrace 
security and said, yes, really want to do this, the sad reality 
is much of the technology that is required to stop a lot of 
this nonsense from happening just flat doesn't exist, and it 
will take time for that technology to be put into place since 
it is going to take research to make happen.
    Mr. Putnam. Thank you. My time has expired. I will call on 
Mr. Clay.
    Mr. Clay. Thank you. Ms. Westby. I will start with Ms. 
Westby. First of all, thank you for your publication, and can 
you tell me what lessons can be learned from the private 
sector's efforts to comply with the internal control 
requirements of the Sarbanes-Oxley legislation by the Federal 
agency community? Are there similarities between the public and 
private sectors in terms of securing networks containing vast 
amounts of individual data?
    Ms. Westby. Actually, I think that the private sector in 
this instance learns more from the government. Information 
security is very different from the days when Al Gore was 
reinventing the government and the government was looking to 
the private sector for best practices.
    Our government is clearly the world leader in information 
security practices, and NIST has done world-class work. Their 
guidance and controls in metrics is excellent, and they, the 
enterprise security program mandated by FISMA and the NIST 
guidance that corresponds with that, offer an excellent 
example.
    It is unfortunate that the word ``security'' is not 
mentioned anywhere in Sarbanes-Oxley, and there is a lot of 
traffic on my listserves about what does that really mean, what 
do the internal control requirements really encompass and how 
far does that go into checking integrity of financial data, how 
far does that goes into systems.
    Mr. Clay. Thank you for that response.
    Mr. Schmidt, as a former White House Cyber Security 
Adviser, would you agree that the Federal procurement process 
would be an ideal mechanism to improve the security of products 
and services delivered by vendors to the agency community? 
Wouldn't this have a profound effect on the development of more 
secure and uniform products for both the agency and critical 
infrastructure and communities?
    Mr. Schmidt. Yes, sir, I sure do. As a matter of fact, I 
talked from time to time about discussions we have had with 
vendors that supply service to the government and CIO, CSOs for 
the government, and it was amazing the disconnect that I have 
seen many times where, say, listen, we would like to actually 
pay extra money to get security services, but nobody is willing 
to provide it. And then you go to the vendor, vendor says 
nobody is willing to pay the extra money for it.
    So clearly the procurement arm of government can do much 
to, you know, set requirements, instead of, you know, accepting 
things the way they are, establish the requirements that one 
would have, and then that will have that trickle down effect to 
the rest of society, because if we are buying more secure 
routers and more secure operating systems for the government 
private sector is clearly going to jump on that bandwagon as 
well. So it's a vehicle I think can take us a long way in a 
short period of time.
    Mr. Clay. Let me ask you, according to Mr. O'Carroll, from 
our first panel, the SSA's Office of Inspector General had 
recently discovered a plan by one individual to sell up to 
10,000 Social Security numbers and matching names on your 
company's Web site.
    Can you outline for us the methods and controls utilized by 
your company to identify and prevent such illicit activity?
    Mr. Schmidt. Yes, we do. We have an entire group, literally 
hundreds of people worldwide, that look at listings that occur 
for everything from counterfeit currency to, you know, war 
materiel, weapons, things of that nature, and we have not only 
physical reviews of data but also automated reviews.
    Various trigger mechanisms will actually flag something for 
the customer service people to dig down further into it. The 
challenge we run into from time to time is that people get 
very, very creative about how they title certain things. So 
they may not cite it saying, well, I am going to sell Social 
Security numbers but they are going to say identification 
cards, which may not trigger something. So we are constantly 
evolving and changing to make sure we that we adapt to the 
things that we see out there as new threats occur.
    Mr. Clay. Thank you for that response.
    Mr. Chairman, I yield back my time. I have no further 
questions.
    Mr. Putnam. Mr. Clay, thank you.
    Ms. Westby, from your testimony, and you have heard the 
answers that the other panelists have given about this issue, 
the issue of ignoring information security risks and the 
liability that it avoids or causes, in your experience in the 
field of information technology law, do you see the attitude of 
being proactive about information security taking hold?
    Ms. Westby. Yes. The market has matured. The awareness has 
increased, and I believe that especially in the environment we 
have today, with heightened emphasis on corporate governance, 
that senior management and boards are taking a look at what 
exactly is within their realm of responsibility, and they, at 
least many of the major companies who are assisting with 
Sarbanes-Oxley, are saying we have to look at how you are 
handling the data in the computer system. I think overall, 
though, our efforts have been in vain.
    Over the last 6 years there have been enormous efforts made 
by the Federal Government, by different organizations, to 
engage businesses through, as an enterprise, horizontally and 
vertically across an organization. I do think that has matured 
and that we are seeing progress.
    Mr. Putnam. Thank you. Mr. Schmidt and Dr. Hancock, in your 
lines of business, clearly spam and denial of service attacks 
are of great concern. A recent Symantec report suggests that 
for the first half of this year it saw a huge increase in 
zombie PCs. The company said it was monitoring 30,000 per day. 
You made reference to that, Dr. Hancock, with a peak of 75,000. 
Some estimates state that it is possible that as many as half 
of the machines on the Internet are in an infected state.
    How big of a threat is this bot issue or zombie issue to 
national or economic security?
    Mr. Schmidt. Well, I couldn't agree more. We have seen 
instances, in working with the law enforcement folks, those 
exact numbers--we have actually been able to identify from 
cable modem and home DSL users. So it's significant, because if 
you look through the cascade of litanies and ills that can 
result as a result of that, one clearly the hacking portion 
into the critical infrastructure, the identity theft, the 
denial of service attack capability.
    If you remember back, February 2000, when we had the big 
denial of service attack that people talked about all the time, 
that was done at a rate of about 800 megabytes per second, 
which is a relatively insignificant amount of data now. Now, 
with 20,000 systems that have been compromised, you can do 3 
gigabytes, you know, almost three times as much worth of 
damage. So when you look at the overall aspect of it, you look 
at the identity theft, you look at the lack of trust that we 
have in the environment, if 87 percent of that 840 million 
users I referenced to earlier, are doing e-mail, less than 17 
percent are doing e-commerce, economically that's just as bad. 
We should be able to go ahead and improve that. The way we can 
go ahead and do that is by making sure that we have the defense 
in depth where, No. 1, the spams and cams aren't getting in the 
inbox for the most part. If they do get there, some sort of 
firewall or browser protection or some sort of file validation 
keeps you from doing something ill from there; and then last of 
course making sure that we are getting a law enforcement 
prosecution of these things.
    The challenge I have with the law enforcement side, which 
is directly related to this, is this is a crime in progress. 
This is no different than somebody walking into a liquor store 
and sticking up somebody with a gun, except you are not there 
physically. It has to be dealt with on a real-time basis.
    Mr. Putnam. Dr. Hancock.
    Mr. Hancock. I will have to agree with Mr. Schmidt on all 
of that. I will also add that one of the problems we have with 
zombie networks is that many times that we found over the last 
few years--is that those zombie networks are now being operated 
by organized crime in some cases.
    As a matter of fact, there was one I was recently involved 
with--a direct investigation on--that was a gaming site, where 
the gaming site was held up for extortion because of a denial 
of service attack launched against it by a series of Russian 
organized crime. We know that. We tracked it back. We worked 
with the Russian law enforcement agencies. The fact of the 
matter was we pinned it down and nailed the guy. But the 
situation is that it took months to happen.
    This sort of thing is happening more and more. We are 
seeing a whole lot more happening where e-commerce is the 
reason for the site to exist. And we are seeing more and more 
of this happen where corporations are depending more on their 
network infrastructure and then they are being held up for 
extortion or being held up for some sort of, if you will, 
ransom because of their technology being disabled through 
things like denial-of-service attacks and things like zombie 
nets being used.
    I will also agree with Mr. Schmidt--what he just said--
about the severity of these types of attacks. We recently saw a 
denial-of-service attack execute a 3.2 gigabytes. I had not 
seen one like that before. We operate a very large network 
infrastructure. We have a lot of customers out there that are 
some of the places that you would normally frequent on the Web.
    When that one hit we disabled that one within 6 minutes. 
But what was more important about it was within 5 minutes after 
that the attacker completely redirected and attacked a 
completely different addressing block. I have never seen 
something like that happen. That means you can take 10,000 to 
20,000 zombies, literally have them turn on a dime, and then 
reconnect and reattack a completely different site.
    That basically shows technical sophistication on the part 
of the attackers. It also shows that the zombie sophistication 
is increasing, which means that these products can be directed, 
redirected very, very quickly, and be pointed with a very 
debilitating attack against a very large network pipe. As a 
result of that, over time we are going to see more of that 
happen, where the zombie networks where we have 5,000, 6,000 
zombies all of a sudden become 100,000. And now the types of 
attacks that can kill things like power networks, water 
networks, those start to become very serious reality, where a 
whole power grid is disabled simultaneously.
    So I believe that the zombie threat is a very severe one. I 
think it's going to get a lot worse, just like any other 
software. There are new versions of it coming out all the time 
and the zombies are being upgraded with additional 
capabilities. All of these things put together are going to 
cause very serious problems to our e-commerce capabilities.
    Mr. Putnam. Who has the sophistication and technical 
capacity to do what you just described?
    Mr. Hancock. If you asked me that question 10 years ago, I 
would have to say it would be a hard core, stone geek to do it. 
The fact is any more it takes very little sophistication. The 
attack Mr. Schmidt talked about in February 2000 was my first 
day of employment at the company that was acquired--and then 
acquired where I am now. I had been with the company exactly 2 
minutes when Amazon.com, CNN.com and a few other sites went 
splat. The realty of that was we found out later in the day 
those attacks were executed by a 16-year-old out of Toronto, 
Canada who went by the handle called Mafia Boy.
    We were involved with the FBI and with the Secret Service 
and quite a few other agencies to track this individual down. 
We are capable of tracking these people down fairly quickly. 
Trying to get them apprehended and dealt with is a different 
story. That took weeks.
    So the end result was you had a child here who downloaded 
an ``exploit'' from a Web site. This individual had no 
sophistication whatsoever in understanding that exploit or in 
writing that tool. However, sophisticated people are all over 
the Web. Those sophisticated people will find the 
vulnerability. They will write the exploit. They will post it 
on a Web site. They themselves do not execute that particular 
attack. Instead, other people--which we call script kiddies, 13 
to 18-year-old types--will download and execute debilitating 
attacks. This is very, very common and compromises 
approximately 80 percent of the attacks we see.
    My infrastructure gets attacked anywhere from 200 to 400 
times a day. As a result of that, we see a lot of this stuff. 
We deal with a lot of that stuff. Most of the time it is pretty 
straightforward to deal with it.
    What I am concerned about is the people who are serious, 
doing it for profit motives. Those people will employ 
programmers--they will employ people with specific skill sets--
and those people with specific skill sets will create these 
tools for a specific nation reason. There may be a nation state 
that wishes to cause harm to us by debilitating capabilities or 
somebody just as simple as a Russian mob trying to go back and 
extort money from a company that executes business over the 
Web.
    Mr. Putnam. What responsibilities does the hardware and 
software community have in all of this? How much does the 
constant influx of new patches for vulnerabilities in their 
products contribute to the problem of cyber crime?
    Mr. Hancock. Well, sir, I will give you an example, a very 
popular desktop operating system that's floating around, used 
to have a version called Version 3 that comprised 3 million 
lines of code. The current version, which was very popular on 
most PCs, comes out with over 45 million lines of code. The 
next version coming out next year is going to be b almost 50 
million lines of code.
    When you have something that large, trying to secure that, 
no matter how conscientious you are, is virtually impossible. 
And so the result is as our versions get more and more 
sophisticated, as they get more and more and more complex and 
we layer complexities on top of that operating system--for 
example, a very popular data base out there has almost 1 
billion codes in it. When you take an operating system that has 
45 billion lines of code, a data base with 1 billion lines of 
code, you then put on top of that object-oriented programming, 
which is done by the programmer so that you can communicate to 
the data base, so you can do something useful with it, you can 
end up very quickly with a couple of billion lines of code on a 
server sitting in a data center someplace. Trying to secure 
that is not trivial. Trying to go back and instill programming 
discipline to make that secure is not trivial.
    All of these things require a great deal of education on 
the part of programmers. They also require standards. They also 
require other types of methodologies that say this is a good 
way to write code or a bad way to write code. The problem that 
we have is that we have gone and put all these types of 
technology in for many years without any discipline in the 
areas of security, all from the way our program is written to 
the way that we deploy technology to the way we manage it on a 
day-by-day basis. And just like when Mr. Conner said and Ms. 
Westby said and Mr. Schmidt have said--a lot of it has to do 
with corporate governance. There has not been an insistence by 
the corporate echelon to require vendors to instill security in 
their technology, to put security in, code, to put security in 
even simple things like routers.
    My most basic concern is that I work very closely with all 
the chief security officers of the telcos through the FCC. We 
offer something there called Focus Group 2B, which puts forth 
cyber security best practices. There are 54 people involved 
with that. We own about 90 percent of the actual infrastructure 
that everybody uses.
    We got together last December and told the FCC 
categorically, and through public documentation, that one of 
the biggest problems we have is we are keeping to deploying 
technology which is woefully inadequate, and we keep deploying 
more.
    So to give you part of an example of a zombie problem, one 
of my base concerns that keeps me awake right now is third 
generation cell phones, and that is because most cell phones 
coming out of the cell phone manufacturers operate an operating 
system which is a derivative of Linux. That operating system 
can have viruses. That operating system can be used as a 
zombie. Under third generation cell phones they will all have a 
TCP-IP address. This means that every single handset can become 
a zombie and part of an attack vector, which means the current 
population of approximately 850 million Internet nodes will 
grow very quickly to 3 billion Internet nodes, all of which can 
be attacked and put through worm automation technology, a 
zombie parked on every handset out there.
    In addition, those handsets will be used for everything 
from e-commerce to charge services, to go back over and even 
get a soda out of a soda machine, because they are all being 
done that way in Europe right now. All those areas basically 
mean that the software development, the hardware development, 
has to instill security discipline, which is not there. In 
addition to that, we will continue to deploy these 
technologies, and these technologies have serious flaws in 
them. That is not being corrected.
    Mr. Putnam. That's uplifting.
    Mr. Schmidt, you made reference to the fact that simply 
using passwords is just not adequate any more and that the 
Nation should move to a two-factor authentication by the end of 
next year. Yesterday a major ISP announced that it would make 
major authentication available to its customers. Do you see 
this as being a positive development, and do you see that being 
the beginning of even more offerings of and a greater 
commitment to secure communications?
    Mr. Schmidt. Yes. As a matter of fact, it's a tremendous 
step forward. We have been working for about the past 7 months. 
We, meaning a group of security experts, have been working with 
that company, other companies, Mr. Conner's company, others, 
looking for solutions that we can do on a real-time basis to 
provide that extra two-factor authentication for the customer 
and end user space. I cite my DOD side of life as a computer 
crime investigator. I now have a spy card I can use on my 
computer government system that I can log into my DOD account 
with full encryption, full authentication, and to really know 
it's me.
    We need to move that way in a security space for the 
consumers. It's probably going to be a slow process. There's 
going to be some shaking up of who is going to be the coalition 
and who is doing this. I think we have clearly reached a point 
in society with the phishing e-mails, the identity theft, the 
hacking, that society is ready to move to the ATM card of 
online world, if you will.
    Mr. Putnam. Mr. Conner, do you see other companies 
following AOL's lead?
    Mr. Conner. Yes. The only comment I made, and Howard and I 
talk about, it's a necessary step but it's a baby step. Most of 
these are cost prohibitive for the masses, and this is not an 
issue that can be dealt with on the haves and have-nots. That 
is going to require innovation and deployment around identity 
and how do you deal with identity for every citizen or customer 
of eBay or someone else. And the current technology, that 
becomes quite cumbersome to do in terms of ease of use and 
economics.
    I would also offer it's only half the issue. Authentication 
or identity is one-half. It's the information they are reaching 
for that is the other half, and the second factor of any 
authentication scheme only deals with who is allowed in or not. 
That leaves the information itself still unprotected.
    I just offer, you know, earlier, in the earlier panel, the 
question on SB 1386 came up. I share with you, that's probably 
been one of the more successful legislations in terms of focus 
because it drove focus on information and how do you protect 
information. It is a given people are going to get in. The 
question is, what access to what information do they have when 
they get in?
    If all you are doing is playing defense on the perimeter 
and trying to keep people out, you are never going to win. You 
have to offensively protect and encrypt the information on the 
inside. And the threat in California of class action suit. 
Every corporate executive understands that, especially in 
California. So I just offer that identity theft, you can't be 
stuck on just the identity authentication, it is the 
information that must ultimately be protected. And anything 
that I have seen that's been announced up to this point, even 
yesterday with the ISP, only deals with half the equation.
    Mr. Putnam. Well, I would like to give this panel the same 
opportunity that the first panel had, and we will begin with 
you, Ms. Westby, of giving any closing remarks that you think 
are important for the subcommittee to have on the record, 
answering any question you wish you had been asked or giving us 
any other thoughts.
    Ms. Westby. Well, I would just leave you with the thought 
that there are some black holes that need to be addressed 
beyond technology gaps. One is in the legal framework. There is 
absolutely no legal framework or rules of law for how nation 
states will respond to cyber attacks. There is no capability 
for allied countries to work together to have some sort of 
allied response.
    In defense circles cyber defense is not a category. A 
defense category is still land, sea and air, and we see cyber 
as footnotes in presentations. It is also not an integrated 
response capability. And we have to think beyond, when we are 
looking at terrorist attacks and information warfare and the 
potential attacks from other countries, we have to look beyond 
our legal framework and think about how we can respond in a 
situation that would involve nation state activity or require 
coordinated action by other nation states.
    Mr. Putnam. Thank you.
    Mr. Conner.
    Mr. Conner. Mr. Chairman, I want to thank you for your 
diligence, support of these issues, and your forceful viewing 
of the hearing on these issues. I would just ask that the task 
force report on framework--I think this specific subcommittee 
that did such good work on GISRA and FISMA and putting the 
report cards out needs to go to the framework of assessment 
that we are asking private industry to do.
    I think part of the problem with the report card piece is 
it's a different model than what private industries are doing. 
So there's a gap between the two, and I think you would find 
you would make much more progress on a benchmark and 
measurements by using the [ISO] 17/7/99 standard that we 
consulted with FISMA on to hold the departments and agencies 
accountable and give them a reference for it, for the private 
industries they deal with, whether it's DOE with utilities or 
whether it's Commerce with banks or Treasury with banks.
    So I would just offer that as a final comment.
    Mr. Putnam. Thank you, Dr. Hancock.
    Mr. Hancock. Mr. Chairman, thank you very much for today 
and also for your continued leadership in the area of cyber 
security. One of the things that I think are important to 
realize with all of this is that we have a problem with 
corporate governance. I think that's pretty much a given. I 
think the secondary problem that we have also at the same time 
is that we have to realize that as we continue to deploy 
technology we continue to make the networks larger and more 
complex, and with complexity comes the difficulty of trying to 
secure it. And we are going to find in a very short amount of 
time that the size of the Internet will double or triple, and 
the reason we will do that is because of handsets and because 
of PDAs and because of other types of portable devices that 
will become enabled or Internet capable.
    We will also simultaneously find the technology that is 
invisible to us now, such as a refrigerator, will become an 
important machine on the network. We know that some vendors are 
working right now with appliance manufacturers to go back and 
provide an Internet connectivity with different types of 
appliances. So someone could turn your refrigerator off from a 
remote location if they desired or hack it.
    The result is that I think what we see is extortive 
attempts by people now will change. I think that what we will 
see is identity theft will change, where you will steal an 
entire city block's worth of IP addresses and sell them off to 
someone else. I think we are going to see the whole framework 
of what is an identity theft and what kind of crime could be 
committed with that change quite radically over the next couple 
of years.
    So I think there is a serious sense of urgency in terms of 
how do you deal with the identity of both individuals, 
applications and technology devices, so that we can probably go 
back over--not just trace these back, but secure them and put 
them in the proper technologies to make that happen.
    Mr. Putnam. And, Mr. Schmidt.
    Mr. Schmidt. Mr. Chairman, I also would like to thank you 
once again, not only for your leadership, continued leadership 
in this area, but also for Bob Dix, who as I jokingly told a 
friend of mine one time as I was driving out of D.C. after I 
retired, looking back in a rear window, at least Bob is there 
to keep this fight going. I thank you for that.
    Just a couple of quick comments, one relative to the 
private sector and the government now. We have seen over the 
past few years the changing of the guard, if you would, when it 
comes to cyber security within corporations. Executives such 
as, you know, Mr. Hancock and myself are now outside of the IT 
organization. We have a special focus on cyber security, no 
longer just an IT function, which I think is very important, 
because it is more than just the technology.
    Looking at the government side, I think there probably 
should be some good reviews on how the government functions in 
that regard. How closely, you know, are we still putting 
security folks in the IT organization, working for CIOs and 
somewhat handicap them in somewhat former fashions.
    The other portion of it--and both the Secret Service and 
FBI--we talked about information sharing. I constantly get 
calls from people because of my law enforcement. background 
asking me, well, who do I call in the city? Do I call the 
Secret Service, do I call the FBI? Is it the Electronic Crimes 
Task Force, the Cyber Crimes Squad? And the answer is not 
whoever gives you the best service. There should be a much more 
formal form of consolidation. If we have a cyber crime squad 
with the FBI, an electronic crimes in the same city, they 
should be part of a joint task force. And that would help solve 
a lot of the sharing information issue, plus a lot of the 
confusion in the private sector on who to call.
    And last, as I mentioned, I thank you for asking me that 
question about the two-factor authentication. We are poised 
within the government to do something about the stronger 
authentication piece, OMB's office. I think we can look at that 
from a two-factor perspective, provide some perspective not 
only for government employees, but also for the private sector 
as well, be able to do your health care, you know a litany of 
things that could be done that could make two-factor 
authentication the normal way of doing business as opposed to 
what we have seen up to now. But thank you once again.
    Mr. Putnam. Thank you.
    I want to thank all of our witnesses for their 
participation today. Your testimony is further evidence that it 
is so important for us to take immediate steps to improve our 
cyber security throughout the Nation. In the event there may be 
additional questions we did not have time for today, the record 
will remain open for 2 weeks for submitted questions and 
answers. We thank you all for your hard work and look forward 
to continued progress for the remainder of this year and in the 
next Congress.
    The subcommittee stands adjourned.
    [Whereupon, at 4:15 p.m., the subcommittee was adjourned.]

                                 
